Another HIPAA Breach Settlement for Not Having Had a Business Associate Agreement in Place: HIPAA & HITECH Act Blog by Jonathan P. Tomes

JonTomesMy Vice President and editor, Alice M. McCart, always says that she hates it when I’m always right. I always mess with her by saying, “It’s unavoidable.” But I’m certainly not always right in all fields of human endeavor as witnessed by my trying to raise an 18-year-old daughter. But with HIPAA, I don’t have to face statements like, “I don’t want to go to this college, which has offered me a four-year Dean’s Scholarship, because a high school classmate that I don’t like is going there.” The federal government is far more predictable than an 18-year old, and I was right when I warned about the importance of having business associate agreements in place in my April 3, 2016, blog, “$1.55 Million Settlement Stresses Importance of Business Associate Agreements.” In that case, North Memorial Health Care of Minnesota agreed to pay $1,550,000 to settle charges that it had violated HIPAA’s Privacy and Security Rules by having failed to enter into a business associate agreement with a major contractor and having failed to institute an organization-wide risk analysis to address the risks and vulnerabilities to its patient information.

In this latest settlement, Raleigh Orthopaedic Clinic, which operates clinics and an orthopedic surgery center in Raleigh, NC, will pay a $750,000 penalty as part of a breach-related settlement involving the release of 17,300 X-ray films containing protected health information (“PHI”) to a vendor without having had a business associate agreement in place.

In a 2013 statement, the health care entity said that it had “contracted with a third-party vendor to transfer old X-ray films into electronic format.” Raleigh Orthopaedic said that it provided the vendor the X-ray films, “but the vendor never provided Raleigh Ortho with an electronic version of the films.” The clinic later learned that it had been the victim of a scam. The X-ray films were sold to a recycling company in Ohio that harvested the silver from the films. Raleigh Ortho believes that the films were ultimately destroyed.

The health care provider said at the time that patients’ full names and dates of birth accompanied the films, but that it did not believe any other individually identifiable information was on the X-ray films.

In the resolution agreement, however, the Department of Health and Human Services (“DHHS”) Office for Civil Rights (“OCR”) notes that DHHS “received notification from [Raleigh Orthopaedic Clinic] regarding a breach of its PHI resulting from an impermissible disclosure of PHI contained in X-ray films to a third-party vendor after orally arranging for the vendor to harvest the silver from the films in exchange for transferring the X-rays into electronic media.”

Apparently, Raleigh Orthopaedic did not read my November 8, 2011, blog post about the value of silver in X-rays and that PHI had to be safeguarded until destroyed, “PHI as Good as Gold (well, Silver)?”

That post related that Baltimore police were looking for a suspect who had stolen thousands of X-rays from Saint Joseph Medical Center in order to extract silver from the X-rays. Silver is used to coat X-rays to enhance the images. The hospital had identified the X-rays for destruction under its retention policy. The blog post stressed the importance of protecting the X-ray films until their ultimate destruction, but they had not yet been destroyed when the suspect stole them.

In the corrective action plan in the resolution agreement, Raleigh had to agree to do all of the following:

  • Establish a process for assessing whether entities are business associates.
  • Designate an individual responsible for ensuring BA agreements are in place prior to disclosing PHI to a business associate.
  • Create a standard template BA agreement.
  • Establish a standard process for maintaining documentation of BA agreements for at least six years beyond the date of termination of a BA relationship.
  • Limit disclosures of PHI to BAs to the minimum necessary to accomplish the purpose for which the BA was hired.
  • Provide training to its workforce for any changes in policies and procedures related to BAs.

In this regard, see my “HIPAA Documents Resource Center CD,” 6th ed., accompanying my “Compliance Guide to HIPAA and the DHHS Regulations, 6th ed., which has a sample Business Associate Policy and sample Business Associate Agreement template, available on our website.

Right again, Alice?

Alice here. Yes, Jon, you’re right again. For our readers, we don’t usually post items on Friday evening with the thought that you might not want to have to think on HIPAA over the weekend or that the email notification would be so far down your email inbox that you might miss it by Monday morning. But tonight, we wanted you to know that we had another two chapters of Jon’s novel HITECH Hysteria posted in the Premium Member section of our website so that you could have something amusing to read over the weekend. Enjoy.

 

seo by: k.c. seo