An orthopedic clinic has agreed to pay $750,000 in fines for failure to have a business associate agreement, as required by HIPAA requirements. This penalty is one of the first significant enforcement actions by the federal government focusing solely on business associate agreements, and reflects a newly aggressive regulatory approach by HHS' Office for Civil Rights ("OCR"), the federal agency with oversight over HIPAA compliance.
As noted in the settlement agreement, the clinic failed to have a business associate agreement in place with a vendor to which it disclosed x-rays. The practice gave x-ray films to the vendor to harvest the silver from the films in exchange for transferring the x-rays into electronic media. The practice did not obtain a Business Associate Agreement with the vendor prior to releasing the x-rays. In general, an x-ray is considered protected health information (“PHI”) because it will have the name of the patient (or may otherwise identify an individual), and will include information relating to the health of the individual (i.e., the image itself, as well as the fact that the individual is a patient of the practice). 17,300 individuals were impacted by the disclosure, though the Resolution Agreement between OCR and the practice did not state or allege that the vendor further disclosed any of the PHI, or that any patients of the practice were harmed by the disclosure.
As part of the settlement, the practice agreed to an immediate payment of $750,000 and entered into a Corrective Action Plan (“CAP”). As part of the CAP, the practice must provide names of all business associates and copies of the relevant business associate agreements. It must also revise its policies and procedures to:
- establish a process for assessing whether entities are business associates;
- designate a responsible individual to ensure business associate agreements are in place prior to disclosing PHI to a business associate;
- create a standard template business associate agreement;
- establish a standard process for maintaining documentation of business associate agreements for at least six (6) years beyond the date of termination of a business associate relationship; and
- limit disclosures of PHI to any business associate to the minimum necessary to accomplish the purpose for which the business associate was hired.
This settlement is of particular note for at least two reasons beyond the dollar amount involved:
- OCR did not show, or argue, that there was a loss of privacy to particular individuals, but merely stated that the practice failed to execute an agreement required by HIPAA. This further supports the view that failure to comply with what some may consider a “technical” requirement of HIPAA can still lead to significant penalties.
- There is occasionally the mistaken belief that x-rays and other tangible items are either not PHI or that their disclosure will not be considered highly problematic, as not being “health information”. The vendor receiving the x-rays, however, would know that each of the patients named in the x-ray was a patient of the practice. This alone would be considered PHI. In addition, at times an x-ray, even without a name attached, will be considered PHI (i.e., containing health information and identifying an individual) if there is something about the x-ray that makes it relatively unique (e.g., a unique condition displayed, the placement of an identifiable object within the person, etc.).
In light of this settlement, Covered Entities should re-evaluate their business associate inventory to properly identify business associates and ensure the business associate agreements are completed and updated to include the recent HITECH requirements, among other HIPAA compliance steps.