OCR Settlement with Physician Group Highlights Need For HIPAA Business Associate Agreements

This week, the OCR announced another HIPAA settlement based on a provider’s failure to have a Business Associate Agreement in place before disclosing PHI to a third party business vendor.

OCR had initiated an investigation of Raleigh Orthopaedic Clinic, P.A. of North Carolina following receipt of a breach report which revealed a release of protected health information (PHI) without first having a business associate agreement (BAA) in place.

Raleigh Orthopaedics had given x-ray films and related protected health information of 17,300 patients to an entity that promised to transfer the images to electronic media in exchange for harvesting the silver from the x-ray films. Raleigh Orthopaedic failed to execute a business associate agreement with this entity before turning over the x-rays images.

In addition to the $750,000 monetary payment, Raleigh Orthopaedics is required to implement a robust corrective action plan, including:

  •  establishing a process for assessing whether entities are business associates;
  • designating a responsible individual to ensure business associate agreements are in place prior to disclosing PHI to a business associate;
  • creating a standard template business associate agreement;
  • establishing a standard process for maintaining documentation of a business associate agreement for at least six (6) years beyond the date of termination of a business associate relationship; and
  • limiting disclosures of PHI to any business associate to the minimum necessary to accomplish the purpose for which the business associate was hired.

The OCR press release is located here.

Written by: Clay J. Countryman

Countryman, Clay headshot