If you’re familiar with the Health Insurance Portability and Accountability Act (HIPAA), you may know that covered entities cannot disclose protected health information (PHI) to unauthorized persons. However, covered entities often work with third parties and need to disclose PHI to these non-covered entities for business reasons. HIPAA allows for covered entities to make these business-related disclosures—but the covered entity and the business associate need to formalize a relationship via a written business associate agreement first.
A business associate agreement is a contract that codifies the relationship of the covered entity to the business associate. A business associate is a person or entity that provides services to, performs work on behalf of, or otherwise touches PHI when working with a HIPAA covered entity. The written agreement specifies permissible uses and disclosures of PHI by the business associate, states that the business associate will comply with HIPAA requirements, includes information about procedures that will be followed in case of a HIPAA breach, and specifies how PHI will be handled upon termination of the covered entity’s relationship with the business associate. The Department of Health and Human Services (HHS) provides sample provisions for a business associate agreement, though many covered entities use individually tailored agreements.
Handing over PHI to an unauthorized person or entity is a violation of HIPAA. Last week, HHS fined a North Carolina provider, Raleigh Orthopaedic Clinic, $750,000 for violating this rule. The clinic released X-ray films and related PHI for 17,300 patients to a third-party company in order for the third-party company to digitize those records. This transaction was arranged via an oral agreement. However, because the clinic and the third-party company didn’t have a written business associate agreement in place, the clinic caused a HIPAA breach by releasing PHI to an unauthorized entity.
In addition to the $750,000 fine, Raleigh Orthopaedic must undergo a two-year corrective action plan and take actions including revising HIPAA policies and procedures, reviewing current business associate agreements and retraining employees.
To add insult to injury, the clinic never received the digitized PHI from the vendor. Instead of digitizing the PHI, the third-party company simply sold the X-ray films to a recycling company, which extracted and sold the silver from the X-ray films before apparently destroying the PHI.
Last month, HHS fined a Minnesota healthcare system $1,550,000 for failing to conduct a risk assessment and failing to execute a written associate agreement with a third-party billing company. The third-party billing company was not authorized to receive PHI but was given access to PHI of almost 300,000 patients for over six months before a business associate agreement was finally signed.
Jocelyn Samuels, Director of HHS Office for Civil Rights, stated: “HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise. It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.” As these two recent actions show, failing to execute a business associate agreement can be an expensive mistake.