Orthopedic Group Pays Big Fine for HIPAA Violation

Ken Terry

April 25, 2016

Raleigh Orthopaedic Clinic of North Carolina has agreed to pay $750,000 to settle charges that it might have violated the HIPAA Privacy Rule by disclosing protected health information (PHI) for about 17,300 patients to a potential business partner without first executing a business associate agreement (BAA), according to the Department of Health and Human Services.

The Office of Civil Rights (OCR), the branch of the Department of Health and Human Services that enforces HIPAA regulations, began investigating Raleigh Orthopaedic after receiving a breach report on April 30, 2013. The investigation found that the practice had released X-ray films and related PHI to a company that promised to transfer the images to electronic media in exchange for harvesting the silver from the X-ray films, the Department of Health and Human Services said in a news release.

In addition to paying the fine, Raleigh Orthopaedic is also required to revise its policies and procedures to ensure that the appropriate entities sign BAAs, that these agreements are fully documented, and that disclosures of PHI are limited to the minimum necessary to accomplish business purposes, among other things.

"HIPAA's obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise," OCR Director Jocelyn Samuels said in the news release. "It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected."

OCR recently launched a new round of audits that specifically focus on BAAs, which are required for all business associates with whom HIPAA-covered entities share PHI. These written contracts establish the limits on the use and disclosure of PHI, require the business associate (BA) to protect PHI against unauthorized use or disclosure, and require the BA to report any security breaches to covered entities.

"Widespread" Problem

Katherine Ilten, an attorney with Fredrikson and Byron in Minneapolis, Minnesota, told Medscape Medical News that the OCR audits are designed mainly to educate providers about the need for BAAs and to help them comply. Providers who have not obtained BAAs from vendors are more likely to get caught because of their breach reports than because of these audits, which will affect fairly few providers, Ilten said.

Nevertheless, she stressed, hospitals, practices, and other covered entities need to get these BAAs in place, "because if something goes wrong with your vendor, you have a problem."

OCR regards every record sent to a BA that is not covered under an agreement as a single violation, she pointed out. "Multiply that by tens of thousands of records, and you have a giant fine."

For example, North Memorial Health Care of Minnesota recently paid a $1.55 million fine for failing to make a BAA with a contractor, as well as for not conducting a security risk assessment.

Ilten believes the lack of BAAs is "widespread" among both hospitals and physician practices. Small practices may have inadequate compliance processes, so they are less likely than bigger organizations to obtain BAAs, she said. Large hospitals may not have BAAs with all their vendors because there are so many of them and there are lots of people dealing with those contractors.

She suggested that providers seek BAAs first from their biggest vendors, including electronic health record companies, that have the most contact with PHI. One challenge, she acknowledged, is that vendors that have only recently entered the healthcare field may not be educated about HIPAA. Even more sophisticated vendors, she added, may balk at non-HIPAA-required terms in BAAs such as indemnification agreements, so negotiations can go on for months or years.

As a result, she noted, legal costs can mount and the process can become expensive, especially for small practices. She suggested offering a reasonable indemnification clause or not requesting one at all. If a provider takes the latter route, she said, they should look into buying a cyber-liability insurance policy.

For more news, join us on Facebook and Twitter


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.