Raleigh Orthopaedic Clinic of North Carolina will pay $750,000 to settle charges that it violated the Health Insurance Portability and Accountability Act of 1996 Privacy Rule. The group allegedly handed over protected health information for approximately 17,300 patients to a potential business partner without first executing a business associate agreement.
HIPAA-covered entities cannot disclose protected health information without authorization, and the lack of a business associate agreement left this information without safeguards, rendering it potentially vulnerable to misuse or improper disclosure.
[See them all: 10 stubborn cybersecurity myths, busted]
Raleigh Orthopaedic is a provider group practice that operates clinics and an orthopedic surgery center in the Raleigh, North Carolina, area.
The Office of Civil Rights, a division of the U.S. Department of Health and Human Services, launched its investigation of Raleigh Orthopaedic following receipt of a breach report on April 30, 2013. The investigation found that Raleigh Orthopaedic released X-ray films and related protected health information of 17,300 patients to a group that promised to transfer the images to electronic media in exchange for harvesting the silver from the X-ray films. Raleigh Orthopedic allegedly failed to execute a business associate agreement with this company prior to turning over the X-rays and health information.
In addition to the $750,000 payment, Raleigh Orthopaedic is required to revise its policies and procedures to establish a process for assessing whether entities are business associates.
It is also required to designate a "responsible individual" to ensure business associate agreements are in place prior to disclosing public health information to a business associate; create a standard template business associate agreement; and establish a standard process for maintaining documentation of business associate agreements for at least six years beyond the date of termination of such a relationship. The group also must limit disclosures of personal health information to any business associate to the minimum necessary to accomplish the purpose for which it was hired.
[Also: Tips for detecting ransomware and other malware before it cripples your network]
"HIPAA's obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise," OCR Director Jocelyn Samuels said in a statement. "It is critical for entities to know to whom they are handing personal health information and to obtain assurances that the information will be protected."
Twitter: @JELagasse
