The Office for Civil Rights announced a $750,000 settlement with Raleigh Orthopaedic Clinic, P.A. (“ROC”) of North Carolina on April 20, 2016, resulting from a breach involving an “undocumented” business associate. The settlement comes only weeks before desk audits are expected to begin and focuses on a perceived area of weakness, business associate agreements.
The factual background to the ROC settlement is that ROC notified OCR of an impermissible disclosure of PHI by a third party vendor. That third party vendor orally agreed to convert ROC’s x-rays into electronic form in exchange for harvesting the silver from the x-rays. Such a relationship likely happens all of the time, but unfortunately, for ROC, it did not close the loop on the oral agreement by executing a business associate agreement (“BAA”). Instead, ROC disclosed the PHI of roughly 17,300 to the vendor without the BAA in place. As such, ROC did not receive satisfactory assurances from the vendor that it complied with applicable HIPAA requirements.
The settlement underscores the obligation of covered entities, such as ROC, to obtain an appropriate BAA. The business associate is not obligated to put the BAA into place. Such obligation is squarely on the covered entity under the HIPAA Privacy and Security Rules. As stated by OCR Director Jocelyn Samuels, “HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise.” It is an active part of HIPAA compliance and one that cannot, nor should be, ignored.
ROC’s settlement and fine emphasize the need for all practices to re-evaluate operations and verify that all necessary and required agreements, policies and procedures are in place. The settlement is a good indicator of an issue that OCR will look for in its audit process. All recent settlements have most certainly occurred with a purpose, namely to forewarn the industry of what will be front and center during an audit. Such warnings should not be ignored.
While oft repeated, it must be said again. The time for such verification of compliance is now. Once an audit request is received, it will be too late to correct an issue. Do not delay, but review, correct and continuously monitor.