Orthopedic Clinic Pays $750K HIPAA Settlement For Disclosing PHI Without a Business Associate Agreement | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Orthopedic Clinic Pays $750K HIPAA Settlement For Disclosing PHI Without a Business Associate Agreement

April 22, 2016
by Heather Landi
| Reprints

Raleigh Orthopaedic Clinic of North Carolina agreed this week to pay $750,000 to settle charges that it allegedly violated privacy rules by providing patients’ protected health information (PHI) to a business partner without first executing a business associate agreement.

Raleigh Orthopaedic is a provider group practice that operates clinics and an orthopedic surgery center in the Raleigh, North Carolina area.

The Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced the $750,000 settlement as the result of an investigation in Raleigh Orthopaedic potentially violating the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. OCR initiated its investigation of the orthopedic clinic following receipt of a breach report on April 30, 2013, according to an announcement.

“OCR’s investigation indicated that Raleigh Orthopaedic released the x-ray films and related protected health information of 17,300 patients to an entity that promised to transfer the images to electronic media in exchange for harvesting the silver from the x-ray films.  Raleigh Orthopedic failed to execute a business associate agreement with this entity prior to turning over the x-rays (and PHI),” the OCR statement said.

HIPAA covered entities cannot disclose PHI to unauthorized persons, and the lack of a business associate agreement left this sensitive health information without safeguards and vulnerable to misuse or improper disclosure, according to OCR. 

“HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise,” Jocelyn Samuels, OCR director said in a statement. “It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.”

As part of the settlement, Raleigh Orthopaedic is required to conduct a corrective action plan, including revising its policies and procedures to establish a process for assessing whether entities are business associates. In addition, the provider also has to revise its policies to designate a responsible individual to ensure business associate agreements are in place prior to disclosing PHI to a business associate; create a standard template business associate agreement; establish a standard process for maintaining documentation of a business associate agreements for at least six (6) years beyond the date of termination of a business associate relationship and limit disclosures of PHI to any business associate to the minimum necessary to accomplish the purpose for which the business associate was hired, according to the OCR.

HHS provides model business associate agreement language on its website and it can accessed here: http://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html.

Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More

Topics

News

Healthcare Execs Anticipate High Cost Returns from Predictive Analytics Use

Healthcare executives are dedicating budget to predictive analytics, and are forecasting significant cost savings in return, according to new research from the Illinois-based Society of Actuaries.

Adam Boehler Tapped by Azar to Serve as Senior Value-Based Care Advisor

Adam Boehler, currently director of CMMI, has also been named the senior advisor for value-based transformation and innovation, HHS Secretary Alex Azar announced.

Vivli Launches Clinical Research Data-Sharing Platform

On July 19 a new global data-sharing and analytics platform called Vivli was unveiled. The nonprofit group’s mission is to promote, coordinate and facilitate scientific sharing and reuse of clinical research data.

Survey: More Effective IT Needed to Improve Patient Safety

In a Health Catalyst survey, physicians, nurses and healthcare executives said ineffective information technology, and the lack of real-time warnings for possible harm events, are key obstacles to achieving their organizations' patient safety goals.

Physicians Still Reluctant to Embrace Virtual Tech, Survey Finds

While consumers and physicians agree that virtual healthcare holds great promise for transforming care delivery, physicians still remain reluctant to embrace the technologies, according to a new Deloitte Center for Health Solutions survey.

Geisinger, AstraZeneca Partner on Asthma App Suite

Geisinger has partnered with pharmaceutical company AstraZeneca to create a suite of products that integrate into the electronic health record and engage asthma patients and their providers in co-managing the disease.