N.C. Clinic Pays $750,000 to Settle Alleged HIPAA Violations

Stay ahead of developments in federal and state health care law, regulation and transactions with timely, expert news and analysis.

By James Swann

April 21 — A North Carolina orthopedic clinic reached a $750,000 settlement with the government over allegations that it potentially violated the HIPAA Privacy Rule by giving patient data to a business partner without first signing a business associate agreement (BAA).

The Health and Human Services Office for Civil Rights said that Raleigh Orthopaedic Clinic PA disclosed protected health information (PHI) in the form of X-ray film for roughly 17,300 patients. The X-rays were sent to a third-party vendor that didn't have a BAA with the clinic, a violation of the HIPAA Privacy Rule.

The settlement was announced April 19 and was the culmination of an OCR investigation that began after the clinic filed a breach report in April 2013.

“HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise,” Jocelyn Samuels, OCR director, said in an April 19 statement.

Kirk Nahra, an attorney with Wiley Rein in Washington, told Bloomberg BNA this is the second recent settlement involving the failure to have a BAA in place, following North Memorial Health's March settlement (53 HCDR, 3/18/16).

Nahra said the North Memorial settlement seemed to be driven by overall security failure, as well as the lack of the BAA, while the current settlement seems to be just about the missing BAA.

Nahra said he thinks most organizations have BAAs in place, but said the settlement is a good reminder to make sure of that.

“The other significant reminder, which may be more of an actual issue, is for business associates to remember that they need downstream business associate agreements with their downstream subcontractors,” Nahra said.

Under the Health Insurance Portability and Accountability Act, covered entities are prevented from disclosing PHI to unauthorized individuals. The lack of a BAA can potentially put the PHI at risk.

The Raleigh Orthopaedic Clinic didn't respond to a request for comment.

Missing BAAs

Eric Fader, an attorney with Day Pitney LLP in New York, told Bloomberg BNA that while the government has been stressing the importance of BAAs since the Health Information Technology for Economic and Clinical Health (HITECH) Act was released in 2009, some covered entities still haven't executed BAAs with all of their business associates.

Fader said other covered entities may have BAAs in place that should have been updated to comply with changes that were mandated by the 2013 HIPAA omnibus rule.

Additionally, simply maintaining PHI, without accessing it, is enough to make an organization a business associate, Fader said. This would apply to companies that provide data storage and backup services to health-care providers, Fader said.

“So any provider that assumes that it's currently in compliance with HIPAA's BAA requirements just because it did comply as of, say, 2008, is likely mistaken,” Fader said.

Fader said the second round of HIPAA audits, which were announced March 21, will audit business associates as well as covered entities, and he said a main focus of the audits will be confirming that all necessary BAAs are in place (55 HCDR, 3/22/16).

“In my view, a failure to have all required BAAs in place could very well be considered an inherently serious violation, given the core importance of BAAs in HIPAA,” Fader said.

Corrective Actions

In addition to the $750,000 payment, the Raleigh Orthopaedic Clinic agreed to enter into a two-year corrective action plan (CAP) with the OCR. Within 120 days of the start of the CAP, the clinic will have to provide the OCR with a list of all of its business partners as well as copies of all BAAs.

The clinic will also be required to revise its policies regarding business associates to ensure that BAAs become part of all future applicable business relationships, and will have to keep all documents related to the CAP for six years.

The settlement wasn't an admission of liability by the clinic, nor was it a concession by the OCR that the clinic wasn't in violation of the HIPAA rules.

To contact the reporter on this story: James Swann in Washington at jswann1@bna.com

To contact the editor responsible for this story: Janey Cohen at jcohen@bna.com

For More Information

The OCR resolution agreement is at http://src.bna.com/eik.

Request Health Care on Bloomberg Law