A Business Associate Agreement HIPAA violation discovered by the Department of Health and Human Services’ Office for Civil Rights (OCR) has culminated in a $750,000 settlement being reached with the Raleigh Orthopaedic Clinic (ROC) of North Carolina.
An investigation was launched by OCR in 2013 following receipt of ROC’s report of a disclosure of protected health information (PHI) to a potential business partner. ROC entered into a verbal agreement with a company to have x-ray films converted to an electronic format. In exchange the company would be allowed to harvest the silver from the films after data had been converted. An agreement was reached with the company over the telephone and the x-ray films were handed over. The films contained the x-ray images and personally identifiable information of 17,300 patients.
Healthcare organizations are permitted to provide PHI to business partners for this purpose; however, before any PHI is transferred, HIPAA Rules require the covered entity to enter into a business associate agreement. In the case of ROC this did not happen.
Before any potential business partner is supplied with PHI the covered entity must execute a HIPAA-compliant business associate agreement. Vendors must agree to abide by HIPAA Rules and ensure PHI is protected at all times with appropriate administrative, technical, and physical safeguards. Without an agreement in place explaining the responsibilities the company has to ensure PHI is appropriately safeguarded, patient data would be left vulnerable to improper disclosure or misuse.
OCR Can Fine Covered Entities $1.5 Million for A Business Associate Agreement HIPAA Violation
The penalty for a business associate agreement HIPAA violation can be severe. A civil monetary penalty of up to $1.5 million can be sought by OCR for the failure of a HIPAA-covered entity to enter into a BAA with a business partner prior to the disclosure of PHI.
Last month OCR reached a settlement with another covered entity after investigators discovered a business associate agreement HIPAA violation. A settlement of $1.55 million was agreed with North Memorial Health Care of Minnesota to resolve all HIPAA violations discovered by OCR investigators, which also included the failure to conduct a comprehensive risk analysis.