A group practice that was the victim of a silver-harvesting scam has agreed to pay the U.S. Department of Health and Human Services (“HHS”) $750,000 to settle charges that it released protected health information (“PHI”) of its patients to a third party vendor without first obtaining a written business associate agreement. Raleigh Orthopaedic Clinic, P.A. (the “Clinic”) provided x-ray films of 17,300 patients to a vendor that was supposed to convert the x-ray films to electronic records in exchange for harvesting the silver from the films. When the Clinic did not receive the electronic records, it investigated and learned that the vendor sold the films to a recycling company that harvested the silver. The Clinic reported the breach to the HHS’ Office for Civil Rights (“OCR”) in April 2013.
In discussing the settlement, the Director of the OCR explained that the obligation under HIPAA that covered entities enter into a business associate agreement before releasing PHI to a vendor or potential business partner is “more than a mere check-the-box paperwork exercise.” The OCR Director emphasized that it is “critical” for a covered entity to know to whom they are handing PHI and to obtain assurances that the information will be protected. This is one of the important reasons why there is a requirement for a business associate agreement.
In addition to the monetary payment, the Clinic entered into a corrective action plan whereby it must revise its HIPAA policies and procedures to:
- Designate one or more individual(s) to be responsible for ensuring that there is a signed business associate agreement with each of its business associates prior to disclosing any PHI to such entity;
- Develop a standard template business associate agreement;
- Create a process for:
- assessing the Clinic’s current and future business relationships to determine whether each relationship is with a “business associate” as defined under the HIPAA rules;
- maintaining documentation of business associate agreements for at least six years beyond the date when the relationship with the business associate is terminated;
- Limit proper disclosures of PHI to the minimum amount that is reasonably necessary for the business associate to perform its duties.
This settlement is the second OCR settlement in the last month related to business associate agreements. It follows North Memorial Health Care of Minnesota agreeing to pay a penalty of $1.5 million for its failure to have a signed business associate agreement with a major vendor performing billing and other operations for the system. The OCR is reminding covered entities of the importance of having in place policies and procedures to identify and vet potential business associates before disclosing PHI. Failing to know your business partners and obtain proper written assurances regarding protecting patient information can be costly.