On April 19, 2016, the U.S. Department of Health and Human Services Office for Civil Rights ("OCR") reached a settlement in the amount of $755,000 with a North Carolina orthopedic clinic ("Clinic") for failing to execute a business associate agreement with a third-party vendor. This is OCR's second settlement this year related to business associate agreements, highlighting OCR's efforts into investigating business associate relationships.OCR initiated its investigation following notification on April 30, 2013 of a breach where the Clinic disclosed protected health information ("PHI") contained in x-rays to a third-party vendor. The Clinic had orally agreed to allow this vendor to transfer x-ray images to electronic media in exchange for harvesting the silver from the x-ray films. Failing to execute a written business associate agreement, the Clinic gave the third-party vendor access to the PHI of 17,300 patients.

OCR and the Clinic entered into a resolution agreement and corrective action plan that, in addition to the monetary payment, requires the Clinic to revise its business associates policies and procedures. The Clinic will also need to: 1) designate one or more individuals with authority to enter into and monitor business associate agreements; 2) create a process to determine which third-party vendor relationships fall under the business associate definition; 3) create a process for negotiating business associate agreements; 4) create a standard template for business associate agreements; 5) create a process; 6) create a document management system for business associate agreements; and 7) limit disclosures of PHI to the minimum amount that is reasonably necessary to allow business associates to perform their duties.

In a press release announcing the settlement, OCR Director Jocelyn Samuels emphasized that "HIPAA's obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise" and that "it is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected."

Practical Takeaways

In light of this enforcement action and with Phase 2 HIPAA audits underway, covered entities need to take the following steps to ensure compliance with HIPAA's business associate provisions:

  • Review current business associate relationships and execute written agreements (if not already in place); and
  • Review current policies and procedures related to business associates to ensure there are individuals who are monitoring, negotiating and documenting business associate relationships.

More information on this enforcement action, including the resolution agreement and the OCR press release, is available here.