The U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) recently entered into resolution agreements with the Raleigh Orthopaedic Clinic, P.A. of North Carolina and North Memorial Health Care, a not-for-profit health care system in Minnesota, to settle charges the entities released protected health information (“PHI”) without first obtaining written business agreements.
These recent settlements by the OCR should serve as a reminder to covered entities of the importance of having proper policies and procedures in place to identify and evaluate potential business associates before disclosing PHI—and the potentially high cost for failing to do so.
The Raleigh Orthopaedic Clinic agrees to pay $750,000 to settle charges
The Raleigh Orthopaedic Clinic (“the Clinic”) is a provider group practice that operates clinics and an orthopedic surgery center in the Raleigh, N.C. area. The OCR began its investigation of the Clinic in April 2013 after the OCR received a breach notification from the Clinic indicating an impermissible disclosure of PHI to a third party vendor.
The disclosure stemmed from an oral agreement between the Clinic and a vendor. As part of the agreement, the Clinic released the x-ray films and related PHI of 17,300 patients to a vendor that was supposed to convert the images to electronic records in exchange for harvesting the silver from the x-rays.
The Clinic agreed to pay $750,000 to settle charges that it potentially violated the HIPAA Privacy Rule by providing the PHI of nearly 17,300 patients to a potential business partner without first executing a business associate agreement. In an April 19th press release announcing the OCR’s settlement agreement with the Clinic, OCR Director Jocelyn Samuels stated “HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise.” The OCR Director went on to emphasize that “[i]t is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.”
In addition to the $750,000 payment, the settlement agreement with the OCR requires the Clinic to: 1) implement procedures for determining whether entities are business associates; 2) select a responsible individual who will ensure business associate agreements are in place before disclosing PHI to a business associate; 3) create a standard template for business associate agreements; 4) develop procedures for maintaining documentation of business associate agreements for at least six (6) years beyond the date a business associate relationship terminates; and 5) limit disclosures of PHI to the minimum necessary to accomplish the purpose for which the business associate was hired.
North Memorial Health Care agrees to pay $1,550,000 to settle charges
North Memorial Health Care (“North Memorial”) is a not-for-profit health care system in Minnesota that operates in the Twin Cities and surrounding areas. The OCR began investigating North Memorial following the report of a data breach in September 2011. The data breach stemmed the theft of an unencrypted, password-protected laptop that was stolen from the locked vehicle belonging to an Accretive Health employee. Accretive Health was North Memorial’s business associate. The laptop contained electronic PHI of 9,497 individuals.
The OCR’s investigation revealed that North Memorial impermissibly disclosed the PHI of at least 289,904 individuals to its business associate, Accretive, without obtaining a written business associate agreement from Accretive. The OCR also found that North Memorial did not establish an enterprise-wide risk analysis to address patient information risks and vulnerabilities, as required by 45 C.F.R. § 164.308(a)(1)(ii)(A).
In addition to the $1.55 million payment to settle the charges, North Memorial must abide by the terms of a corrective action plan, which includes developing an enterprise-wide risk analysis and management plan. North Memorial is also required to provide training for workforce members affected by the corrective action plan.
In the March 16, 2016, press release announcing the settlement, OCR Director Samuels stressed that “[o]rganizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”
These recent settlements announced by the OCR show the high cost a covered entity could face for not having an appropriate business associate agreement in place. The settlement should remind covered entities to have the proper policies, procedures, and personnel, in place to identify and evaluate potential business associates before releasing PHI.
To find out more about the business associate agreements or other HIPAA requirements, contact Fraser Trebilcock at 517.482.5800.