Lack of business associate agreement leads to $750,000 HIPAA fine
HCPRO Website, April 22, 2016
The Office for Civil Rights (OCR) made an example of its increased focus on business associate agreements (BAA) with its latest HIPAA settlement. Raleigh Orthopaedic Clinic, P.A. of North Carolina (ROC) agreed to pay $750,000 to settle charges that it violated HIPAA when it turned over X-ray films of approximately 17,300 patients to a third-party vendor without obtaining a BAA, HHS said.
OCR’s investigation began in April 2013 when ROC notified the agency about a possible breach. ROC contracted with a third party vendor to transfer old X-ray films into electronic files. The clinic sent the X-rays to the vendor without first obtaining a BAA. The vendor never provided the electronic files and an investigation by ROC revealed it was the victim of a scam. The vendor failed to create the electronic files and instead sold the X-rays to a recycling company in Ohio that harvested the silver from the films. ROC was not able to determine the location of any X-rays it entrusted to the vendor. The missing X-rays were taken prior to 2008 and contained patients’ full names and dates of birth.
Along with the fine, ROC agreed to a corrective action plan that states ROC will provide OCR with a list of its business associates (BA) and BAAs as well as a revised BAA policy that identifies the individuals responsible for evaluating BAs and obtaining and maintaining BAAs.
OCR used the announcement to remind covered entities (CE) that they are responsible for scrutinizing all potential BAs and must obtain a BAA before granting any BA access to PHI.
OCR has made a point of emphasizing key aspects of HIPAA compliance like risk analysis and BAAs in a string of high-profile HIPAA settlements. CEs and BAs should be aware that this may indicate that the agency will focus on these areas during Phase 2 audits. Phase 2 of the HIPAA Audit Program began in March and, unlike Phase 1, will include BAs. The agency recently released updated Phase 2 audit protocols, the pre-audit screening questionnaire, and a sample BA listing template.
Most Popular
- Articles
-
- Don’t forget the three checks in medication administration
- Differentiate between types of wound debridement
- Note similarities and differences between HCPCS, CPT® codes
- Revisions deeming EPs
- OB services: Coding inside and outside of the package
- Reimbursement for Facility and Professional Services in a Provider-Based Department by Gina M. Reese, Esq., RN
- Practice the six rights of medication administration
- Complications from immobility by body system
- Know guidelines and subtle differences in code descriptions for laceration repairs
- What to include on the incident report
- E-mailed
-
- Joint Commission Revises Scoring for IC Standard
- Study: Hospital Bedsheets Could Be Source of C. difficile Contamination
- Q/A: Who must approve change in patient status for condition code 44?
- Revisions deeming EPs
- Coding, billing, and documentation tips for teaching physicians, interns, residents, and students
- Reimbursement for Facility and Professional Services in a Provider-Based Department by Gina M. Reese, Esq., RN
- Ensuring clear and concise documentation critical for case managers
- Dig into the details of wound care documentation
- Critical thinking scenarios for teaching nurses
- CPT Manual moves laparoscopic ablation of uterine fibroid tumors from Category III codes
- Searched