In the last two months, the U.S. Department of Health and Human Services (“HHS”) announced two settlement agreements involving the disclosure of protected health information ("PHI"). In both instances, the health care facilities were alleged to have violated the Health Insurance Portability and Accountability Act ("HIPAA").

In the first instance, a health care system in Minnesota (the “Hospital”) reported a breach of the HIPAA security rule after an unencrypted laptop of an employee of one of the Hospital’s business associates was stolen from the employee’s locked vehicle. The laptop contained the electronic PHI (“ePHI”) of what the Hospital then believed to be approximately 2,800 individuals. An investigation found that the Hospital had impermissibly disclosed both electronic and non-electronic PHI of at least 289,904 individuals by providing a business associate with access to PHI for over seven (7) months prior to entering into a written business associate agreement. The investigation also found that the Hospital had failed to complete a risk assessment to address all of the potential risks and vulnerabilities to the ePHI that it maintained. Under the terms of a March 2016 settlement, the Hospital entered into a corrective action plan and agreed to pay $1.55 million dollars in settlement fees.

Similarly in April of 2016, HHS entered into a settlement agreement with an orthopaedic clinic in North Carolina (the “Clinic”) following an investigation indicating that the Clinic had impermissibly disclosed PHI in x-ray films to a third-party vendor after orally arranging for the vendor to transfer the x-rays into electronic media without a written business associate agreement. The Clinic entered into a corrective action plan and agreed to pay $750,000 to settle allegations that it potentially violated the HIPAA privacy rule by impermissibly disclosing the PHI of 17,300 individuals to this third-party vendor.

Both of these settlements highlight the importance of ensuring that health care providers and other covered entities enter into business associate agreements with their third-party vendors prior to permitting such vendors to create, receive, maintain, or transmit PHI on the covered entities’ behalf.

In many cases, such business associate agreements can be executed simultaneous with the underlying contract for services. It is also particularly important for our health care providers to understand the importance of regularly performing risk assessments and reviewing and updating their HIPAA privacy, security, and breach notification policies and procedures.