Orthopedic Clinic Pays $750K HIPAA Settlement For Disclosing PHI Without a Business Associate Agreement | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Orthopedic Clinic Pays $750K HIPAA Settlement For Disclosing PHI Without a Business Associate Agreement

April 22, 2016
by Heather Landi
| Reprints

Raleigh Orthopaedic Clinic of North Carolina agreed this week to pay $750,000 to settle charges that it allegedly violated privacy rules by providing patients’ protected health information (PHI) to a business partner without first executing a business associate agreement.

Raleigh Orthopaedic is a provider group practice that operates clinics and an orthopedic surgery center in the Raleigh, North Carolina area.

The Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced the $750,000 settlement as the result of an investigation in Raleigh Orthopaedic potentially violating the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. OCR initiated its investigation of the orthopedic clinic following receipt of a breach report on April 30, 2013, according to an announcement.

“OCR’s investigation indicated that Raleigh Orthopaedic released the x-ray films and related protected health information of 17,300 patients to an entity that promised to transfer the images to electronic media in exchange for harvesting the silver from the x-ray films.  Raleigh Orthopedic failed to execute a business associate agreement with this entity prior to turning over the x-rays (and PHI),” the OCR statement said.

HIPAA covered entities cannot disclose PHI to unauthorized persons, and the lack of a business associate agreement left this sensitive health information without safeguards and vulnerable to misuse or improper disclosure, according to OCR. 

“HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise,” Jocelyn Samuels, OCR director said in a statement. “It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.”

As part of the settlement, Raleigh Orthopaedic is required to conduct a corrective action plan, including revising its policies and procedures to establish a process for assessing whether entities are business associates. In addition, the provider also has to revise its policies to designate a responsible individual to ensure business associate agreements are in place prior to disclosing PHI to a business associate; create a standard template business associate agreement; establish a standard process for maintaining documentation of a business associate agreements for at least six (6) years beyond the date of termination of a business associate relationship and limit disclosures of PHI to any business associate to the minimum necessary to accomplish the purpose for which the business associate was hired, according to the OCR.

HHS provides model business associate agreement language on its website and it can accessed here: http://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html.

Get the latest information on Medical Imaging and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More

Topics

News

AMIA Warns of Tax Bill’s Impact on Graduate School Programs in Informatics

Provisions in the Republican tax bill that would count graduate student tuition waivers as taxable income would have detrimental impacts on the viability of fields such as informatics, according to the American Medical Informatics Association.

Appalachia Project to Study Relationship Between Increased Broadband Access, Improved Cancer Care

The Federal Communications Commission and the National Cancer Institute have joined forces to focus on how increasing broadband access and adoption in rural areas can improve the lives of rural cancer patients.

Survey: By 2019, 60% of Medicare Revenues will be Tied to Risk

Medical groups and health systems that are members of AMGA (the American Medical Group Association) expect that nearly 60 percent of their revenues from Medicare will be from risk-based products by 2019, according to the results from a recent survey.

83% of Physicians Have Experienced a Cyber Attack, Survey Finds

Eighty-three percent of physicians in a recent survey said that they have experienced some sort of cyber attack, such as phishing and viruses.

Community Data Sharing: Eight Recommendations From San Diego

A learning guide focuses on San Diego’s experience in building a community health information exchange and the realities of embarking on a broad community collaboration to achieve better data sharing.

HealthlinkNY’s Galanis to Step Down as CEO

Christina Galanis, who has served as president and CEO of HealthlinkNY for the past 13 years, will leave her position at the end of the year.