Raleigh, N.C.—The Department of Health and Human Services’ Office for Civil Rights (OCR) has recently announced that the Raleigh Orthopedic Clinic of North Carolina has agreed to pay $750,000 in settlement fees. The clinic faced charges that it had potentially violated HIPAA privacy rules. The “potential violation” as released by the OCR is meant to obfuscate the role the Raleigh Clinic had in its infraction of HIPAA privacy rules, the company unequivocally broke the law. The violation occurred when the Raleigh clinic handed over the protected health information of approximately 17,300 patients to a potential business associate without first executing a business associate agreement—a requirement necessary of all entities when disclosing such information to unauthorized persons.

The lack of a business associate agreement left this sensitive health information without protection and easily available to abuse, misuse or illegal disclosure. OCR began its investigation of Raleigh Orthopedic when it received a breach-report on April 30, 2013. OCR discovered that Raleigh Orthopedic had given away x-ray films and other protected health information, which belonged to approximately 17,300 patients. This information was given to a business associate that had promised to transfer the images of the x-rays to electronic media—simultaneously promising the exchange for harvesting the silver from the x-ray films. However, Raleigh Orthopedic failed to complete a business associate agreement before turning over the protected health information.

Jocelyn Samuels, Director of the OCR emphasized the importance of completing business associate agreements. She stated, “HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise,” further adding, “it is critical for entities to know to whom they are handing protected health information and to obtain assurances that the information will be protected.”

Raleigh Orthopedic will also, in addition to their $750,000 penalty, be required to revise their policies and procedures to, as OCR dictates, “establish a process for assessing whether entities are business associates; designate a responsible individual to ensure business associate agreements are in place prior to disclosing protected health information to a business associate; create a standard template business associate agreement; establish a standard process for maintaining documentation of a business associate agreement for at least six (6) years beyond the date of termination of a business associate relationship; and limit disclosures of protected health information to any business associate to the minimum necessary to accomplish the purpose for which the business associate was hired.”

The staggering oversight of what may be described as superficial paperwork has dealt a body blow to a practice that will face not only monetary reparations but an injured reputation as well. These effects can only be explained as the result of a lack of understanding by the staff of Raleigh Orthopedic of HIPAA law. Simple HIPAA training could have preserved the integrity of their patients’ protected health information. This was nothing more than mere human error, the actions of which were done without malice or forethought. Supremus Group offers the only sound, safe, and simple education to healthcare staff for HIPAA certification training.