The HHS Office for Civil Rights (OCR) recently announced that Raleigh Orthopaedic Clinic, P.A. (Raleigh Orthopaedic) of North Carolina has agreed to pay a settlement of $750,000 to settle potential HIPAA Privacy Rule violations. Raleigh Orthopaedic handed over protected health information (PHI) for approximately 17,300 patients to a potential business partner without first executing a business associate agreement (BAA).
According to OCR, during the investigation it was discovered that Raleigh Orthopaedic released the x-ray films and related PHI of 17,300 patients to an entity that promised to transfer the images to electronic media in exchange for harvesting the silver from the x-ray films. Raleigh Orthopedic failed to execute a BAA with this entity prior to turning over the x-rays (and PHI).
"HIPAA's obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise," said Jocelyn Samuels, Director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). "It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected."
In addition to the settlement
Raleigh Orthopaedic is required to complete an extensive corrective action plan, including revising policies and procedures to:
- Establish a process for assessing whether entities are business associates; designate a responsible individual to ensure BAAs are in place prior to disclosing PHI to a business associate
- Create a standard template business associate agreement
- Establish a standard process for maintaining documentation of BAAs for at least six (6) years beyond the date of termination of a business associate relationship
- Limit disclosures of PHI to any business associate to the minimum necessary to accomplish the purpose for which the business associate was hired.
This settlement demonstrates the importance of a Business Associate Agreement
The settlement agreement Raleigh Orthopaedic agreed to pay and the extensive corrective action plan they must complete demonstrates the importance of a BAA. Covered entities must ensure they understand who their business associates are and must have BAAs in place that include language and assurances PHI will be safeguarded and protected.
Perhaps the most important language a BAA must include in language that states the process in the event of a breach. Business associates should provide covered entities notice in a timely fashion of any security incident or breach involving PHI. For example, a BAA should include a statement such as:
Business Associate agrees to report to covered entity any use or disclosure of protected health information not provided for by the Agreement of which it becomes aware, including breaches of unsecured protected health information as required at 45 CFR 164.410, and any security incident of which it becomes aware.
At the end of the day, the responsibility is with covered entities to report breaches and provide notification to affected individuals. HHS explains this responsibility by stating:
With respect to a breach at or by a business associate, while the covered entity is ultimately responsible for ensuring individuals are notified, the covered entity may delegate the responsibility of providing individual notices to the business associate. Covered entities and business associates should consider which entity is in the best position to provide notice to the individual, which may depend on various circumstances, such as the functions the business associate performs on behalf of the covered entity and which entity has the relationship with the individual.
It is important to note that individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach. With respect to a breach at or by a business associate, this means the clock starts when the business associates first learns of the breach not when the covered entity is notified by the business associate a breach occurred.
Conclusion
The settlement and corrective action plan Raleigh Orthopaedic agreed to demonstrate the importance of business associate agreements, and is just one example of several breaches involving business associates. The settlement demonstrates OCR is serious about holding entities accountable for any activities by the covered entity or the business associate involving PHI. Therefore, it is critical for covered entities to understand who their business associates are and ensuring a BAA is in place that includes language and assurances PHI will be safeguarded and protected in the event of a breach a process must be included to ensure timely notifications are provided without unreasonable delay.
If you have any questions or would like us to review your existing BAA to makes sure it includes necessary language, please do not hesitate to contact one of our professional consultants. Please contact us by phone 1-855-427-0427 or email [email protected].