Business Associates: More Than a Checkbox

11107561_s2The Office for Civil Rights announced a $750,000 settlement with Raleigh Orthopaedic Clinic, P.A. (“ROC”) of North Carolina on April 20, 2016, resulting from a breach involving an “undocumented” business associate. The settlement comes only weeks before desk audits are expected to begin and focuses on a perceived area of weakness, business associate agreements.

The factual background to the ROC settlement is that ROC notified OCR of an impermissible disclosure of PHI by a third party vendor. That third party vendor orally agreed to convert ROC’s x-rays into electronic form in exchange for harvesting the silver from the x-rays. Such a relationship likely happens all of the time, but unfortunately, for ROC, it did not close the loop on the oral agreement by executing a business associate agreement (“BAA”). Instead, ROC disclosed the PHI of roughly 17,300 to the vendor without the BAA in place. As such, ROC did not receive satisfactory assurances from the vendor that it complied with applicable HIPAA requirements.

The settlement underscores the obligation of covered entities, such as ROC, to obtain an appropriate BAA. The business associate is not obligated to put the BAA into place. Such obligation is squarely on the covered entity under the HIPAA Privacy and Security Rules. As stated by OCR Director Jocelyn Samuels, “HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise.” It is an active part of HIPAA compliance and one that cannot, nor should be, ignored.

ROC’s settlement and fine emphasize the need for all practices to re-evaluate operations and verify that all necessary and required agreements, policies and procedures are in place. The settlement is a good indicator of an issue that OCR will look for in its audit process. All recent settlements have most certainly occurred with a purpose, namely to forewarn the industry of what will be front and center during an audit. Such warnings should not be ignored.

While oft repeated, it must be said again. The time for such verification of compliance is now. Once an audit request is received, it will be too late to correct an issue. Do not delay, but review, correct and continuously monitor.


About Matt Fisher

Matt is the chair of Mirick O'Connell's Health Law Group and a partner in the firm's Business Group. Matt focuses his practice on health law and all areas of corporate transactions. Matt's health law practice includes advising clients with regulatory, fraud, abuse, and compliance issues. With regard to regulatory matters, Matt advises clients to ensure that contracts, agreements and other business arrangements meet both federal and state statutory and regulatory requirements. Matt's regulatory advice focuses on complying with requirements of the Stark Law, Anti-Kickback Statute, fraud and abuse regulations, licensing requirements and HIPAA. Matt also advises clients on compliance policies to develop appropriate monitoring and oversight of operations.
This entry was posted in Compliance, HIPAA, Regulations and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s