OCR Settlement with Physician Group Highlights Need For HIPAA Business Associate Agreements

This week, the OCR announced another HIPAA settlement based on a provider's failure to have a Business Associate Agreement in place before disclosing PHI to a third party business vendor. 

OCR had initiated an investigation of Raleigh Orthopaedic Clinic, P.A. of North Carolina following receipt of a breach report which revealed a release of protected healther information (PHI) without first having a business associate agreement (BAA) in place. 

Raleigh Orthopaedics had given x-ray films and related protected health information of 17,300 patients to an entity that promised to transfer the images to electronic media in exchange for harvesting the silver from the x-ray films. Raleigh Orthopaedic failed to execute a business associate agreement with this entity before turning over the x-ray images. 

In addition to the $750,000 monetary payment, Raleigh Orthopaedics is required to implement a robust corrective action plan, including: 

• establishing a process for assessing whether entities are business associates; 
• designating a responsible individual to ensure business associate agreements are in place prior to disclosing PHI to a business associate; 
• creating a standard template business associate agreement;
• establishing a standard process for maintaining documentation of a business associate agreement for at least six (6) years beyond the date of termination of a business associate relationship; and
• limiting disclosure of PHI to any business associate to the minimum necessary to accomplish the purpose for which the business associate was hired. 

The OCR press release is located here.