Health Law Daily Clinic learns to protect PHI the hard way with $750,000 settlement
Wednesday, April 20, 2016

Clinic learns to protect PHI the hard way with $750,000 settlement

By Bryant Storm, J.D.

Raleigh Orthopaedic Clinic, P.A. entered into a $750,000 settlement agreement with HHS to resolve allegations that the provider group practice violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (P.L 104-191Privacy Rule by handing over the protected health information (PHI) of nearly 17,300 patients to a potential business partner without first executing a business associate (BA) agreement (BAA) with that partner. Raleigh Orthopaedic is required under the settlement agreement to revise and implement BA policies to enhance PHI protections and to prevent further breaches (Settlement Agreement, October 15, 2015).

Breach. The HHS Office for Civil Rights (OCR) received a breach report concerning Raleigh Orthopaedic on April 30, 2015, and initiated an investigation. The OCR determined that Raleigh Orthopaedic gave a third party access to 17,300 patients’ x-ray films and related PHI. The third party agreed to transfer the images to electronic media in exchange for harvesting the silver from the x-ray films. Raleigh Orthopaedic did not enter into a BAA with the x-ray transfer company prior to handing over the x-rays. HIPAA requires that covered entities obtain BAAs containing assurances that the PHI will be protected by business partners that handle PHI. The agency offers model BAAs to help covered entities meet that obligation.

Settlement. Under the settlement agreement, in addition to paying $750,000 to settle the HIPAA charges, Raleigh Orthopedic agreed to revise its BA policies and procedures. Specifically, the clinic agreed to establish a procedure for identifying when and whether an entity qualifies as a BA and to designate an individual as responsible for ensuring that BAAs are in place prior to PHI disclosures. The agreement also requires the clinic to create a BAA template, establish a document maintenance process for BAAs, and limit PHI disclosures to BAs to the minimum disclosure necessary to accomplish the purpose of the association with the BA.

Companies: Raleigh Orthopaedic Clinic, P.A.

MainStory: TopStory EHRNews HITNews HIPAANews ProgramIntegrityNews

Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More