BreachExchange mailing list archives
Lack of BA Agreement Costs Clinic $750,000
From: Inga Goddijn <inga () riskbasedsecurity com>
Date: Wed, 20 Apr 2016 18:32:10 -0500
http://www.databreachtoday.com/lack-ba-agreement-costs-clinic-750000-a-9055 Second HIPAA Enforcement Action This Year Involving a Vendor Agreement A North Carolina orthopedic clinic will pay a $750,000 penalty as part of a breach-related settlement involving the release of 17,300 X-ray films containing protected health information to a vendor without having a business associate agreement in place, as required under HIPAA <http://www.healthcareinfosecurity.com/hipaa-hitech-c-282>. *See Also:* 2016 State of Threat Intelligence Study <http://www.databreachtoday.com/webinars/2016-state-threat-intelligence-study-w-897?rf=promotional_webinar> The Department of Health and Human Services' Office for Civil Rights <http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/raleigh-orthopaedic-clinic-bulletin/index.html> says in a April 19 statement that the settlement with Raleigh Orthopaedic Clinic, which operates clinics and an orthopedic surgery center in Raleigh, N.C., spotlights the importance of executing a BA agreement before turning over PHI to third-party vendors. "HIPAA's obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise," Jocelyn Samuels, director of OCR, said in the statement. "It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected." Common Issue The Raleigh Orthopaedic case highlights a far-to-common problem, says privacy <http://www.healthcareinfosecurity.com/privacy-c-151> and security expert Kate Borten, founder of The Marblehead Group consultancy. "The impetus for this investigation and resolution agreement was the privacy breach caused by the complete lack of a business associate relationship and PHI protection," she says. "This continues to be a not uncommon problem in healthcare a decade after the [HIPAA] rules" went into effect. In fact, OCR's resolution agreement with Raleigh Orthopaedic is the second enforcement action OCR has taken so far this year highlighting the importance of having a business associate agreement. In March, OCR announced a $1.55 million settlement with North Memorial Healthcare <http://www.healthcareinfosecurity.com/provider-faces-155-million-penalty-for-bas-breach-a-8978> in a case involving the lack of a BA agreement with a vendor as well as the lack of a timely, enterprisewide risk analysis <http://www.healthcareinfosecurity.com/risk-assessment-c-44>, another HIPAA requirement. "Covered entities and business associates must have a thorough process around their downstream BAs," Borten says. "At all times, the entity must be sure it has identified all its BAs and that they have signed a compliant business associate agreement prior to PHI release." Breach Investigation This latest settlement is the result of an OCR investigation involving a breach <http://www.healthcareinfosecurity.com/breach-response-c-324> reported by Raleigh Orthopaedic in April 2013. In a 2013 statement <http://www.raleighortho.com/news-events-notification.php>, the healthcare entity said it had "contracted with a third-party vendor to transfer old X-ray films into electronic format." Raleigh Orthopaedic said it provided the vendor with the X-ray films, "but the vendor never provided Raleigh Ortho with an electronic version of the films." The clinic said it conducted an investigation and, "during the first week of March 2013, discovered that it had been the victim of a scam. It appears that the X-ray films were sold to a recycling company in Ohio that harvested the silver from the films. Raleigh Ortho believes the films were ultimately destroyed." The healthcare provider said at the time that patients' full names and dates of birth accompanied the films, but that it did not believe any other individually identifiable information was on the X-ray films. In the resolution agreement, however, OCR notes that "HHS received notification from [Raleigh Orthopaedic Clinic] regarding a breach of its PHI resulting from an impermissible disclosure of PHI contained in X-ray films to a third-party vendor after orally arranging for the vendor to harvest the silver from the films in exchange for transferring the X-rays into electronic media." Raleigh Orthopaedic did not immediately respond to Information Security Media Group's request for comment. Corrective Action Plan In addition to the financial settlement, the resolution agreement <http://www.hhs.gov/sites/default/files/Raleigh%20Orthopaedic%20RA%20%26%20CAP%20%28508%29_0.pdf> between OCR and Raleigh Orthopaedic includes a corrective action plan requiring the clinic to revise its policies and procedures related to business associates. That includes: - Establishing a process for assessing whether entities are business associates; - Designating an individual responsible for ensuring BA agreements are in place prior to disclosing PHI to a business associate; - Creating a standard template BA agreement; - Establishing a standard process for maintaining documentation of BA agreements for at least six years beyond the date of termination of a BA relationship; - Limiting disclosures of PHI to BAs to the minimum necessary to accomplish the purpose for which the BA was hired; and - Providing training <http://www.healthcareinfosecurity.com/awareness-training-c-27> to its workforce for any changes in policies and procedures related to BAs. Borten notes that every HIPAA-covered organization should ensure it has "a complete and detailed spreadsheet of its BAs, and that someone has been designated to maintain it, including periodic review by management." Other Recent Settlements The settlement between OCR and Raleigh Orthopaedic is the fifth enforcement action issued by OCR so far in 2016. In addition to the North Memorial Healthcare case, those include: - A $3.9 million settlement and resolution agreement in March with Feinstein Institute for Medical Research <http://www.healthcareinfosecurity.com/research-institute-breach-results-in-39-million-sanction-a-8979> related to insufficient security management processes, policies and procedures noted by OCR after investigating a breach tied to the theft of an unencrypted <http://www.healthcareinfosecurity.com/encryption-c-209> laptop containing data on several thousand patients and participants in a research project; - A $25,000 settlement and resolution agreement in February with Complete P.T., Pool & Land Physical Therapy Inc. <http://www.healthcareinfosecurity.com/case-shines-spotlight-on-hipaas-marketing-rules-a-8890>, resulting from an investigation of a complaint alleging that the organization was impermissibly disclosing PHI on its website for marketing purposes; - A summary judgment in February requiring Lincare Inc. <http://www.healthcareinfosecurity.com/ocr-slaps-home-health-provider-penalty-a-8842>, a provider of respiratory care, medical equipment and other services to in-home patients, to pay a $239,800 civil monetary penalty in a case stemming from a complaint that a Lincare employee left behind documents containing the PHI of 278 patients after moving to a new residence.
_______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Lack of BA Agreement Costs Clinic $750,000 Inga Goddijn (Apr 21)