Skip to content Skip to navigation

Orthopedic Clinic Pays $750K HIPAA Settlement For Disclosing PHI Without a Business Associate Agreement

April 22, 2016
by Heather Landi
| Reprints

Raleigh Orthopaedic Clinic of North Carolina agreed this week to pay $750,000 to settle charges that it allegedly violated privacy rules by providing patients’ protected health information (PHI) to a business partner without first executing a business associate agreement.

Raleigh Orthopaedic is a provider group practice that operates clinics and an orthopedic surgery center in the Raleigh, North Carolina area.

The Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced the $750,000 settlement as the result of an investigation in Raleigh Orthopaedic potentially violating the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. OCR initiated its investigation of the orthopedic clinic following receipt of a breach report on April 30, 2013, according to an announcement.

“OCR’s investigation indicated that Raleigh Orthopaedic released the x-ray films and related protected health information of 17,300 patients to an entity that promised to transfer the images to electronic media in exchange for harvesting the silver from the x-ray films.  Raleigh Orthopedic failed to execute a business associate agreement with this entity prior to turning over the x-rays (and PHI),” the OCR statement said.

HIPAA covered entities cannot disclose PHI to unauthorized persons, and the lack of a business associate agreement left this sensitive health information without safeguards and vulnerable to misuse or improper disclosure, according to OCR. 

“HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise,” Jocelyn Samuels, OCR director said in a statement. “It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.”

As part of the settlement, Raleigh Orthopaedic is required to conduct a corrective action plan, including revising its policies and procedures to establish a process for assessing whether entities are business associates. In addition, the provider also has to revise its policies to designate a responsible individual to ensure business associate agreements are in place prior to disclosing PHI to a business associate; create a standard template business associate agreement; establish a standard process for maintaining documentation of a business associate agreements for at least six (6) years beyond the date of termination of a business associate relationship and limit disclosures of PHI to any business associate to the minimum necessary to accomplish the purpose for which the business associate was hired, according to the OCR.

HHS provides model business associate agreement language on its website and it can accessed here:



CMS Hospital Compare Website Updated with VA Data

The Centers for Medicare & Medicaid Services (CMS) has announced the inclusion of Veterans Administration (VA) hospital performance data as part of the federal agency’s Hospital Compare website.

CMS Awards Funding to Special Innovation Projects

The Centers for Medicare & Medicaid Services (CMS) has awarded 20, two-year Special Innovation Projects (SIPs) aimed at local efforts to deliver better care at lower cost.

Center of Excellence in Genomic Science to be Established in Chicago

The National Human Genome Research Institute has awarded $10.6 million over five years for the establishment of a new research center in Chicago to advance genomic science.

EHNAC and HITRUST Combine HIPAA Security Criteria, CSF Framework

The Electronic Healthcare Network Accreditation Commission (EHNAC) and the Health Information Trust Alliance (HITRUST) announced plans to streamline their accreditation and certification programs.

Halamka on MACRA Final Rule: “CMS is Listening and I Thank Them”

Health IT notable expert John Halamka, M.D., CIO of Beth Israel Deaconess Medical Center in Boston, recently weighed in on the Medicare Access and CHIP Reauthorization Act (MACRA) final rule.

Texas Patient Care Clinic Hit with Ransomware Attack

Grand Prairie, Texas-based Rainbow Children's Clinic was the victim of a ransomware attack on its IT systems in August, affecting more than 33,000 patients, according to multiple news media reports this week.