Physician Practice and Hospital Pay $750,000 and $1.5 Million for Failure to Have HIPAA Business Associate Agreements

The Office for Civil Rights (OCR) recently announced two separate settlements with a hospital and a physician practice that highlight the importance of having HIPAA business associate agreements. Each of these HIPAA settlements were based on the failure to have a HIPAA business associate agreement in place with a third party that a hospital and a physician practice had disclosed patient’s healthcare information to perform certain administrative services. In each case, the third party recipients of patient electronic healthcare information committed or contributed to a breach under the HIPAA Privacy Rule.

On March 16, 2016, the OCR announced that North Memorial Health Care of Minnesota agreed to pay $1,550,000 to settle allegations that it violated the HIPAA Privacy and Security Rules by failing to enter into a business associate agreement with a major contractor and failing to conduct an accurate and thorough security risk assessment. The OCR initiated an investigation of North Memorial following receipt of a breach report that an unencrypted, password-protected laptop was stolen from a business associate’s workforce member’s locked vehicle, impacting ePHI of 9,497 individuals

The OCR discovered that North Memorial did not have in place a business associate agreement with this business associate, Accreative. North Memorial had given Accreative access to North Memorial’s hospital database, which stored the ePHI of 289,904 patients. Accreative also received access to non-electronic protected health information as it performed services on site at North Medical.

The OCR commented that North Memorial failed to conduct a thorough risk assessment that incorporated all of its information technology equipment, including all applications, software, databases, servers, work stations, mobile devices and electronic media, network administration and security devices and associate business processes applications, and data systems using electronic protected health information (ePHI).

On April 19, 2016, the OCR announced that Raleigh Orthopaedic Clinic, P. A. of North Carolina had agreed to settle charges that it potentially violated the HIPAA Privacy and Security Rules by failing to execute a business associate agreement prior to turning over protected health information (PHI) of approximately 17,300 patients to a potential business partner without first executing a business associate agreement. Under the HIPAA settlement with OCR, Raleigh Orthopaedic Clinic agreed to pay $750,00 and implement an extensive corrective action plan.

The OCR initiated its investigation of Raleigh Orthopaedics following receipt of a breach report on April 30, 2013. OCR’s investigation indicated that Raleigh Orthopaedics released the x-ray films and related PHI of 17,300 patients to an entity that promised to transfer the images to electronic media in exchange for harvesting the silver from the x-ray films. OCR discovered that Raleigh Orthopaedic failed to execute a business associate agreement with this entity prior to turning over the x-rays and PHI.

In addition to the $750,000 payment, Raleigh Orthopaedics is required to revise its policies and procedures to: establish a process for assessing whether entities are business associates; designate a responsible individual to ensure business associate agreements are in place prior to disclosing PHI to a business associate; create a standard template business associate agreement; establish a standard process for maintaining documentation of a business associate agreement for at least six (6) years beyond the date of termination of a business associate relationship; and limit disclosures of PHI to any business associate to the minimum necessary to accomplish the purpose for which the business associate was hired.


Recently, the OCR updated its audit protocol that the OCR will be using to assess HIPAA Covered Entities’ and Business Associate’s compliance with the HIPAA privacy, security, and breach notification rules. OCR also released a template that Covered Entities and Business Associates may use to keep track of their business associate relationships. The release of the updated audit protocol and Business Associate tracking template is part of the implementation of the Phase 2 HIPAA Compliance Audits by OCR.

The OCR sample Business Associate tracker contains a list of the specific information the OCR will request from a Covered Entity or Business Associate as part of the Phase 2 HIPAA Compliance Audits. In response to a request from the OCR, Covered Entities and Business Associates should be able to quickly produce the following information for each business associate:

  • name of business associate,
  • type of service provided,
  • contact information for two points of contact at the business associate,
  • and the website URL for the business associate.

Based on the above recent settlements and other enforcement initiatives of the HIPAA Privacy and Security Rules, physician practices should consider conducting a risk assessment using the new audit protocol to identify compliance issues and gaps in their documentation. Physician practices should also consider adopting an internal Business Associate tracking system that contains the information that OCR will request as part of an audit.

Written by: Clay Countryman

Countryman, Clay headshot