Orthopaedic clinic to pay $750K HIPAA fine after failing to make BA agreement

An orthopaedic clinic must pay $750,000 after a potential HIPAA violation in which it gave protected health information to a third party without a business associate (BA) agreement in place.

North Carolina-based Raleigh Orthopaedic Clinic sent X-rays and related protected health information of 17,300 patients to the prospective business partner, according to an announcement from the Health and Human Services Department's Office for Civil Rights.

The HHS OCR received a breach report in April 2013 and started to investigate the clinic. It found that the BA, which is unnamed, said it would turn the X-rays into electronic media in exchange for the silver from the X-ray films.

OCR announced the start of the second phase of its HIPAA Audit Program at the 24th National HIPAA Summit in the District of Columbia in March. The first round of desk audits is focused on covered entities, while the second round of audits will focus on business associates.

"HIPAA's obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise," Jocelyn Samuels, director of OCR, said in the Raleigh Orthopaedic announcement. "It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected."

Roy Wyman, a partner at Nelson Mullins Riley & Scarborough LLP, told FierceHealthIT in an email that OCR, early on in the HIPAA audit process, was responding more to concerns where there would be potential for significant public concern. However, now "as enforcement and review have matured, OCR appears to be moving toward a more encompassing approach, looking for any significant breach of the law, regardless of whether it is something that would be likely to raise public concern," he said.

He added that while the second phase of audits may lead to a modest boost in the number of settlements, "the larger boost is from the increased attention paid by OCR to these issues, particularly as it reviews self-disclosures required following breaches."

Raleigh Orthopaedic, in addition to the fine, must revise its policies to clarify when an entity is a BA, assign someone to ensure BA agreements are in place and create a standard BA agreement, among other procedures.

North Memorial Health Care of Minnesota also recently faced a fine for a potential HIPAA violation--paying a whopping $1.55 million for failing to make a BA agreement with a contractor, as well as failing to conduct a risk analysis to address security of patient data.

To learn more:
- here's the announcement