[BreachExchange] Lack of BA Agreement Costs Clinic $750,000

Inga Goddijn inga at riskbasedsecurity.com
Wed Apr 20 19:32:10 EDT 2016 

http://www.databreachtoday.com/lack-ba-agreement-costs-clinic-750000-a-9055

Second HIPAA Enforcement Action This Year Involving a Vendor Agreement

A North Carolina orthopedic clinic will pay a $750,000 penalty as part of a
breach-related settlement involving the release of 17,300 X-ray films
containing protected health information to a vendor without having a
business associate agreement in place, as required under HIPAA
<http://www.healthcareinfosecurity.com/hipaa-hitech-c-282>.

*See Also:* 2016 State of Threat Intelligence Study
<http://www.databreachtoday.com/webinars/2016-state-threat-intelligence-study-w-897?rf=promotional_webinar>

The Department of Health and Human Services' Office for Civil Rights
<http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/raleigh-orthopaedic-clinic-bulletin/index.html>
says in a April 19 statement that the settlement with Raleigh Orthopaedic
Clinic, which operates clinics and an orthopedic surgery center in Raleigh,
N.C., spotlights the importance of executing a BA agreement before turning
over PHI to third-party vendors.

"HIPAA's obligation on covered entities to obtain business associate
agreements is more than a mere check-the-box paperwork exercise," Jocelyn
Samuels, director of OCR, said in the statement. "It is critical for
entities to know to whom they are handing PHI and to obtain assurances that
the information will be protected."
Common Issue

The Raleigh Orthopaedic case highlights a far-to-common problem, says
privacy <http://www.healthcareinfosecurity.com/privacy-c-151> and security
expert Kate Borten, founder of The Marblehead Group consultancy.

"The impetus for this investigation and resolution agreement was the
privacy breach caused by the complete lack of a business associate
relationship and PHI protection," she says. "This continues to be a not
uncommon problem in healthcare a decade after the [HIPAA] rules" went into
effect.

In fact, OCR's resolution agreement with Raleigh Orthopaedic is the second
enforcement action OCR has taken so far this year highlighting the
importance of having a business associate agreement.

In March, OCR announced a $1.55 million settlement with North Memorial
Healthcare
<http://www.healthcareinfosecurity.com/provider-faces-155-million-penalty-for-bas-breach-a-8978>
in a case involving the lack of a BA agreement with a vendor as well as the
lack of a timely, enterprisewide risk analysis
<http://www.healthcareinfosecurity.com/risk-assessment-c-44>, another HIPAA
requirement.

"Covered entities and business associates must have a thorough process
around their downstream BAs," Borten says. "At all times, the entity must
be sure it has identified all its BAs and that they have signed a compliant
business associate agreement prior to PHI release."
Breach Investigation

This latest settlement is the result of an OCR investigation involving a
breach <http://www.healthcareinfosecurity.com/breach-response-c-324>
reported by Raleigh Orthopaedic in April 2013.

In a 2013 statement
<http://www.raleighortho.com/news-events-notification.php>, the healthcare
entity said it had "contracted with a third-party vendor to transfer old
X-ray films into electronic format." Raleigh Orthopaedic said it provided
the vendor with the X-ray films, "but the vendor never provided Raleigh
Ortho with an electronic version of the films."

The clinic said it conducted an investigation and, "during the first week
of March 2013, discovered that it had been the victim of a scam. It appears
that the X-ray films were sold to a recycling company in Ohio that
harvested the silver from the films. Raleigh Ortho believes the films were
ultimately destroyed."

The healthcare provider said at the time that patients' full names and
dates of birth accompanied the films, but that it did not believe any other
individually identifiable information was on the X-ray films.

In the resolution agreement, however, OCR notes that "HHS received
notification from [Raleigh Orthopaedic Clinic] regarding a breach of its
PHI resulting from an impermissible disclosure of PHI contained in X-ray
films to a third-party vendor after orally arranging for the vendor to
harvest the silver from the films in exchange for transferring the X-rays
into electronic media."

Raleigh Orthopaedic did not immediately respond to Information Security
Media Group's request for comment.
Corrective Action Plan

In addition to the financial settlement, the resolution agreement
<http://www.hhs.gov/sites/default/files/Raleigh%20Orthopaedic%20RA%20%26%20CAP%20%28508%29_0.pdf>
between OCR and Raleigh Orthopaedic includes a corrective action plan
requiring the clinic to revise its policies and procedures related to
business associates. That includes:

   - Establishing a process for assessing whether entities are business
   associates;
   - Designating an individual responsible for ensuring BA agreements are
   in place prior to disclosing PHI to a business associate;
   - Creating a standard template BA agreement;
   - Establishing a standard process for maintaining documentation of BA
   agreements for at least six years beyond the date of termination of a BA
   relationship;
   - Limiting disclosures of PHI to BAs to the minimum necessary to
   accomplish the purpose for which the BA was hired; and
   - Providing training
   <http://www.healthcareinfosecurity.com/awareness-training-c-27> to its
   workforce for any changes in policies and procedures related to BAs.

Borten notes that every HIPAA-covered organization should ensure it has "a
complete and detailed spreadsheet of its BAs, and that someone has been
designated to maintain it, including periodic review by management."
Other Recent Settlements

The settlement between OCR and Raleigh Orthopaedic is the fifth enforcement
action issued by OCR so far in 2016. In addition to the North Memorial
Healthcare case, those include:

   - A $3.9 million settlement and resolution agreement in March with Feinstein
   Institute for Medical Research
   <http://www.healthcareinfosecurity.com/research-institute-breach-results-in-39-million-sanction-a-8979>
   related to insufficient security management processes, policies and
   procedures noted by OCR after investigating a breach tied to the theft of
   an unencrypted <http://www.healthcareinfosecurity.com/encryption-c-209>
   laptop containing data on several thousand patients and participants in a
   research project;
   - A $25,000 settlement and resolution agreement in February with Complete
   P.T., Pool & Land Physical Therapy Inc.
   <http://www.healthcareinfosecurity.com/case-shines-spotlight-on-hipaas-marketing-rules-a-8890>,
   resulting from an investigation of a complaint alleging that the
   organization was impermissibly disclosing PHI on its website for marketing
   purposes;
   - A summary judgment in February requiring Lincare Inc.
   <http://www.healthcareinfosecurity.com/ocr-slaps-home-health-provider-penalty-a-8842>,
   a provider of respiratory care, medical equipment and other services to
   in-home patients, to pay a $239,800 civil monetary penalty in a case
   stemming from a complaint that a Lincare employee left behind documents
   containing the PHI of 278 patients after moving to a new residence.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160420/e08ce1e9/attachment.html>

More information about the BreachExchange mailing list