The latest OCR settlement for HIPAA Business Associate Agreement (BAA) failures highlights the importance of having up to date, HIPAA-compliant BAAs in place for all business associates.
Raleigh Orthopaedic Clinic, P.A., of North Carolina has agreed to settle a case filed by the Office for Civil Rights for alleged violations of HIPAA Rules, stemming from an April 30, 2013 breach of PHI.
An investigation was launched by OCR after Raleigh Orthopaedic submitted a breach report of an incident affecting 17,300 patients. X-ray films had been released to a contractor in order to have the data transferred to digital images. The x-ray films were supplied by Raleigh Orthopaedic after an agreement had been reached over the telephone. The company would be allowed to harvest the silver from the x-ray films as payment for converting the x-rays to digital images.
However, prior to providing the x-rays to its business associate, Raleigh Orthopaedic did not obtain a signed business associate agreement explaining the responsibilities the company had with respect to the privacy and security of the data stored on the films.
Without a signed BAA, Raleigh Orthopaedic did not have any assurances that its business associate understood its responsibilities with respect to HIPAA, and neither that the data contained in the x-rays would be protected in accordance with HIPAA Rules. Announcing the settlement, OCR director Jocelyn Samuels explained that a BAA is not simply a check box paperwork exercise. She said, “It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.”
In addition to paying the OCR $750,000 to settle the case, Raleigh Orthopaedic must adopt a strict corrective action plan to address HIPAA failures. Policies and procedures must be revised and a process established to determine whether a contractor is a HIPAA business associate. An individual must be given the responsibility for this process and must ensure that HIPAA-compliant BAAs exist for all BAs contracted by the clinic. A process must also be developed to maintain BAAs for at least six years following the termination on any BA contract. Raleigh Orthopaedic has also agreed to restrict disclosures of PHI to the minimum necessary information to perform the tasks that each BA is assigned.
HIPAA Business Associate Agreements Explained
Before any protected health information is shared with a vendor a covered entity must obtain a signed copy of a HIPAA-compliant BAA.
The BAA is a contract between the covered entity and a business associate. The BAA must explain that any PHI shared with the BA is subject to HIPAA Rules, and must be safeguarded in accordance with the standards laid down in the HIPAA Security Rule.
Business associates must also be advised of the requirements of the HIPAA Privacy Rule, including allowable disclosures of PHI to third parties such as subcontractors. The BAA must also detail the requirements for reporting privacy breaches and security incidents to the covered entity and detail the procedures for responding to a breach involving PHI.
The BAA should explain that as a HIPAA business associate, the organization may be subjected to audits by the Office for Civil Rights and that investigations will be conducted into data breaches. The BAA should cover how an organization must respond to audits and investigations and also explain that the failure to adhere to HIPAA Rules can result in financial penalties and corrective action plans being issued to address any areas of non-compliance.