The Department of Health and Human Services’ Office for Civil Rights (OCR) has revealed a compensation settlement has been agreed with Raleigh Orthopaedic Clinic, P.A., of North Carolina over alleged breaches of HIPAA Rules. Raleigh Orthopaedic has agreed to pay OCR $750,000 for not entering into a business associate agreement (BAA) with a vendor before releasing the protected health information (PHI) of 17,300 patients in 2013.
OCR initiated an investigation into a data breach reported by Raleigh Orthopaedic on April 30, 2013. Raleigh Orthopaedic had agreed to supply a potential business associate (BA) with X-Ray films in order to have images converted to a digital format. The company was permitted to recycle the original films to recover the silver after the images had been converted to an electronic format. However, the agreement was made over the telephone and no BAA was received.
Before providing the company with the X-Rays Raleigh Orthopaedic should have issued a BAA and received a signed copy. The BAA should have detailed the duties the company had to ensure X-Ray data were properly secure at all times. Raleigh Orthopaedic had not obtained satisfactory assurances that PHI would be treated as confidential and protected as per HIPAA Rules. The failure to receive a compliant BAA was a breach of the HIPAA Privacy Rule (45 C.F.R. § 164.502(e)).
Along with the $750,000 settlement Raleigh Orthopaedic has agreed to put in place a corrective action plan (CAP). The CAP requires Raleigh Orthopaedic to send a list of names and addresses of all business associates to OCR along with copies of current business associate agreements.
Policies and procedures must be updated to ensure that at least one individual is made responsible for ensuring that BAAs are received from all BAs. A process must also be implemented to ensure all future potential BAs are issued with a BAA prior to the disclosure of any PHI.
After policies have been reviewed by OCR, Raleigh Orthopaedic must ensure that all BAAs are looked over to ensure compliance with HIPAA Rules.
Raleigh Orthopaedic must also formulate further training material covering the changes to policies and procedures and provide more training to all employees required to come into contact with PHI.
OCR Director Jocelyn Samuels revealed the breach and point out “HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise.” She added, “It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.”
The settlement agreement, in its entirety, can be viewed here.