<div dir="ltr"><a href="http://www.databreachtoday.com/lack-ba-agreement-costs-clinic-750000-a-9055">http://www.databreachtoday.com/lack-ba-agreement-costs-clinic-750000-a-9055</a><br><br><span class="">Second HIPAA Enforcement Action This Year Involving a Vendor Agreement</span><br><p>A North Carolina orthopedic clinic will pay a $750,000 penalty as
part of a breach-related settlement involving the release of 17,300
X-ray films containing protected health information to a vendor without
having a business associate agreement in place, as required under <a href="http://www.healthcareinfosecurity.com/hipaa-hitech-c-282">HIPAA</a>.</p><p><b>See Also:</b> <a href="http://www.databreachtoday.com/webinars/2016-state-threat-intelligence-study-w-897?rf=promotional_webinar">2016 State of Threat Intelligence Study</a></p>
<p>The <a href="http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/raleigh-orthopaedic-clinic-bulletin/index.html" target="_blank">Department of Health and Human Services' Office for Civil Rights</a>
says in a April 19 statement that the settlement with Raleigh
Orthopaedic Clinic, which operates clinics and an orthopedic surgery
center in Raleigh, N.C., spotlights the importance of executing a BA
agreement before turning over PHI to third-party vendors.</p>
<p> "HIPAA's obligation on covered entities to obtain business associate
agreements is more than a mere check-the-box paperwork exercise,"
Jocelyn Samuels, director of OCR, said in the statement. "It is critical
for entities to know to whom they are handing PHI and to obtain
assurances that the information will be protected." </p>
<h3>Common Issue</h3>
<p>The Raleigh Orthopaedic case highlights a far-to-common problem, says <a href="http://www.healthcareinfosecurity.com/privacy-c-151">privacy</a> and security expert Kate Borten, founder of The Marblehead Group consultancy.</p>
<p> "The impetus for this investigation and resolution agreement was the
privacy breach caused by the complete lack of a business associate
relationship and PHI protection," she says. "This continues to be a not
uncommon problem in healthcare a decade after the [HIPAA] rules" went
into effect. </p>
<p>In fact, OCR's resolution agreement with Raleigh Orthopaedic is the
second enforcement action OCR has taken so far this year highlighting
the importance of having a business associate agreement. </p>
<p>In March, OCR announced a $1.55 million settlement with <a href="http://www.healthcareinfosecurity.com/provider-faces-155-million-penalty-for-bas-breach-a-8978">North Memorial Healthcare</a> in a case involving the lack of a BA agreement with a vendor as well as the lack of a timely, enterprisewide <a href="http://www.healthcareinfosecurity.com/risk-assessment-c-44">risk analysis</a>, another HIPAA requirement.</p>
<p>"Covered entities and business associates must have a thorough
process around their downstream BAs," Borten says. "At all times, the
entity must be sure it has identified all its BAs and that they have
signed a compliant business associate agreement prior to PHI release."</p>
<h3>Breach Investigation</h3>
<p>This latest settlement is the result of an OCR investigation involving a <a href="http://www.healthcareinfosecurity.com/breach-response-c-324">breach</a> reported by Raleigh Orthopaedic in April 2013. </p>
<p>In a 2013 <a href="http://www.raleighortho.com/news-events-notification.php" target="_blank">statement</a>,
the healthcare entity said it had "contracted with a third-party vendor
to transfer old X-ray films into electronic format." Raleigh
Orthopaedic said it provided the vendor with the X-ray films, "but the
vendor never provided Raleigh Ortho with an electronic version of the
films."</p>
<p>The clinic said it conducted an investigation and, "during the first
week of March 2013, discovered that it had been the victim of a scam. It
appears that the X-ray films were sold to a recycling company in Ohio
that harvested the silver from the films. Raleigh Ortho believes the
films were ultimately destroyed."</p>
<p>The healthcare provider said at the time that patients' full names
and dates of birth accompanied the films, but that it did not believe
any other individually identifiable information was on the X-ray films.</p>
<p>In the resolution agreement, however, OCR notes that "HHS received
notification from [Raleigh Orthopaedic Clinic] regarding a breach of its
PHI resulting from an impermissible disclosure of PHI contained in
X-ray films to a third-party vendor after orally arranging for the
vendor to harvest the silver from the films in exchange for transferring
the X-rays into electronic media."</p>
<p>Raleigh Orthopaedic did not immediately respond to Information Security Media Group's request for comment.</p>
<h3>Corrective Action Plan</h3>
<p>In addition to the financial settlement, the <a href="http://www.hhs.gov/sites/default/files/Raleigh%20Orthopaedic%20RA%20%26%20CAP%20%28508%29_0.pdf" target="_blank">resolution agreement</a>
between OCR and Raleigh Orthopaedic includes a corrective action plan
requiring the clinic to revise its policies and procedures related to
business associates. That includes:</p>
<ul><li>Establishing a process for assessing whether entities are business associates;</li><li>Designating an individual responsible for ensuring BA agreements are in place prior to disclosing PHI to a business associate;</li><li>Creating a standard template BA agreement;</li><li>Establishing a standard process for maintaining documentation of BA
agreements for at least six years beyond the date of termination of a BA
relationship; </li><li>Limiting disclosures of PHI to BAs to the minimum necessary to accomplish the purpose for which the BA was hired; and</li><li>Providing <a href="http://www.healthcareinfosecurity.com/awareness-training-c-27">training</a> to its workforce for any changes in policies and procedures related to BAs.</li></ul>
<p>Borten notes that every HIPAA-covered organization should ensure it
has "a complete and detailed spreadsheet of its BAs, and that someone
has been designated to maintain it, including periodic review by
management."</p>
<h3>Other Recent Settlements</h3>
<p>The settlement between OCR and Raleigh Orthopaedic is the fifth
enforcement action issued by OCR so far in 2016. In addition to the
North Memorial Healthcare case, those include:</p>
<ul><li>A $3.9 million settlement and resolution agreement in March with <a href="http://www.healthcareinfosecurity.com/research-institute-breach-results-in-39-million-sanction-a-8979">Feinstein Institute for Medical Research</a>
related to insufficient security management processes, policies and
procedures noted by OCR after investigating a breach tied to the theft
of an <a href="http://www.healthcareinfosecurity.com/encryption-c-209">unencrypted</a> laptop containing data on several thousand patients and participants in a research project;</li><li>A $25,000 settlement and resolution agreement in February with <a href="http://www.healthcareinfosecurity.com/case-shines-spotlight-on-hipaas-marketing-rules-a-8890">Complete P.T., Pool & Land Physical Therapy Inc.</a>,
resulting from an investigation of a complaint alleging that the
organization was impermissibly disclosing PHI on its website for
marketing purposes;</li><li>A summary judgment in February requiring <a href="http://www.healthcareinfosecurity.com/ocr-slaps-home-health-provider-penalty-a-8842">Lincare Inc.</a>,
a provider of respiratory care, medical equipment and other services to
in-home patients, to pay a $239,800 civil monetary penalty in a case
stemming from a complaint that a Lincare employee left behind documents
containing the PHI of 278 patients after moving to a new residence.</li></ul><br></div>