On April 14, 2016, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), entered into a $750,000 settlement with a North Carolina orthopaedic clinic arising from the clinic’s disclosure of x-ray films and related protected health information of 17,300 patients to an entity that was engaged by the clinic to transfer x-ray images to electronic media. According to an OCR press release, the clinic released the information to the outside entity without executing a HIPAA business associate agreement, leaving the information “without safeguards and vulnerable to misuse or improper disclosure.” The OCR investigation arose as a result of the clinic’s breach self-report, which was submitted to OCR in 2013.

In addition to payment of the $750,000 fine, the resolution agreement and accompanying corrective action plan entered into between the clinic and OCR also requires the clinic to take the following corrective action steps:

  • provide HHS the names of all of its business associates and copies of the corresponding business associate agreements;
  • revise its policies and procedures regarding business associate to better track its business associate relationships and appoint a responsible individual or individuals to coordinate its business associate arrangements;
  • train all of its workforce members who use or disclose PHI within sixty (60) days following HHS’s approval of its revised business associate policies and procedures and related training materials, and annually thereafter;
  • train all new workforce members on its revised and approved business associate policies and procedures within fifteen (15) days after beginning work for the clinic;
  • for a period of two years, notify HHS within thirty (30) days of any failure by a clinic workforce member to comply with its HIPAA policies and procedures, including the actions taken to address the matter, to mitigate any harm, and to prevent it from recurring, including appropriate sanctions taken against such workforce member;
  • for a period of two years, submit an annual report to HHS regarding its compliance with the terms of the corrective action plan, with an accompanying attestation by an owner or officer of the clinic.

This latest enforcement action reinforces the need for covered entities to accurately identify their business associates and execute HIPAA-compliance business associate agreements prior to disclosure of protected health information to these outside entities.