Yesterday, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced another HIPAA settlement with a covered entity for failure to enter into a business associate agreement.
Raleigh Orthopaedic Clinic, P.A. (“Raleigh Orthopaedic”) agreed to pay $750,000 and enter into a Corrective Action Plan for allowing a vendor to access x-ray films containing protected health information (PHI) without first executing a business associate agreement. Pursuant to its arrangement with the vendor, Raleigh Orthopaedics allowed the vendor to harvest the silver from the x-ray films in exchange for transferring the x-rays into electronic media.
This settlement follows closely on the heels of settlements announced by OCR last month with North Memorial Health Care ($1.55 million) and in November 2015 with Triple-S Management Corporation ($3.5 million) for violations including failure to enter into business associate agreements.
The Raleigh Orthopaedic settlement provides another reminder that covered entities (as well as business associates) need to ensure that an appropriate business associate agreement is in place with respect to each business associate relationship as required under the HIPAA Privacy and Security Rules, keeping in mind that some terms are required and others are negotiable.
Emily A. Johnson contributed to this article.