OCR Settlement with Physician Group Highlights Need For HIPAA Business Associate AgreementsThis week, the OCR announced another HIPAA settlement based on a provider's failure to have a Business Associate Agreement in place before disclosing PHI to a third party business vendor.
OCR had initiated an investigation of Raleigh Orthopaedic Clinic, P.A. of North Carolina following receipt of a breach report which revealed a release of protected healther information (PHI) without first having a business associate agreement (BAA) in place.
Raleigh Orthopaedics had given x-ray films and related protected health information of 17,300 patients to an entity that promised to transfer the images to electronic media in exchange for harvesting the silver from the x-ray films. Raleigh Orthopaedic failed to execute a business associate agreement with this entity before turning over the x-ray images.
In addition to the $750,000 monetary payment, Raleigh Orthopaedics is required to implement a robust corrective action plan, including:
- establishing a process for assessing whether entities are business associates;
- designating a responsible individual to ensure business associate agreements are in place prior to disclosing PHI to a business associate;
- creating a standard template business associate agreement;
- establishing a standard process for maintaining documentation of a business associate agreement for at least six (6) years beyond the date of termination of a business associate relationship; and
- limiting disclosure of PHI to any business associate to the minimum necessary to accomplish the purpose for which the business associate was hired.