The Office of Civil Rights (OCR), the agency within the United States Department of Health and Human Services that enforces the HIPAA Privacy and Security Rules, recently sent a clear message about the importance of business associate agreements. In separate settlements with the agency, two health care providers agreed to pay extremely large monetary penalties to settle charges that they violated HIPAA by failing to enter into business associate agreements with vendors before disclosing protected health information (PHI). These two settlements vividly demonstrate that OCR will vigorously enforce the business associate requirements under HIPAA, and both covered entities and business associates should take care to ensure that they are fully compliant with these rules.
The HIPAA Privacy Rule clearly states that a HIPAA “covered entity” – that is, a health care provider that engages in electronic transactions, a health plan, or a health care clearinghouse – cannot disclose PHI to a business associate (BA) unless it first enters into a written business associate agreement. A business associate is any third party that performs certain functions or activities for the covered entity that involve the use or disclosure of PHI – for example, a third party administrator for a health plan, or a physician’s medical record transcriptionist.
On April 14, 2016, an orthopedic clinic in Raleigh, North Carolina agreed to pay $750,000 to settle charges that it violated HIPAA by disclosing the protected health information of over 17,000 patients to a vendor without first entering into the required BA agreement. Raleigh Orthopedic Clinic, P.A. allegedly contracted with a vendor to transfer X-ray images to digital media, under an arrangement that allowed the vendor to harvest the silver from the X-rays. The clinic eventually determined that the vendor had simply sold the X-ray films to a recycling company and had never digitized the images (see here). The clinic’s Resolution Agreement with OCR (available here), recites OCR’s allegation that the clinic had violated the Privacy Rule by turning over the X-rays – which obviously constituted protected health information – without obtaining a signed business associate agreement. Note that OCR cited no evidence that the X-rays were ever exposed to the public or seen by anyone other than the vendor, nor are any other HIPAA violations mentioned in the Resolution Agreement. Accordingly, the $750,000 may represent what the OCR considers an appropriate penalty for simply failing to obtain the requisite BA agreement, at least in this case.
In March of this year, North Memorial Health Care of Minnesota agreed to pay $1.55 million to settle charges that it had violated the HIPAA Privacy and Security Rules by failing to enter into a business associate agreement with a vendor and failing to institute an organization-wide security risk analysis. In this case, North Memorial disclosed electronic PHI to a vendor (Accretive Health) without obtaining the required business associate agreement; the failure was discovered when an unencrypted laptop containing the ePHI was stolen from the vendor and the breach was reported to OCR by North Memorial. Note that the health system did enter into a BA agreement with Accretive, but this was more than six months after its disclosure of the ePHI (see the Resolution Agreement here). In its press release announcing the settlement (available here), OCR referred to the business associate agreement requirement as a “cornerstone of the HIPAA Rules”.
These recent settlements underscore the critical importance that the Federal enforcement agency attaches to the requirement of a written business associate agreement. Under the Privacy Rule, a BA agreement is required whenever a covered entity discloses PHI to a business associate, before the disclosure is made. The Privacy Rule establishes several mandatory elements that a BA agreement must address.
Moreover, as a result of changes made by the 2009 “HITECH Act” (the Health Information Technology for Economic and Clinical Health Act), business associates are themselves directly responsible for HIPAA compliance and are subject to the same civil and criminal penalties as covered entities.
Given OCR’s demonstrated enforcement posture concerning these requirements, both covered entities and business associates should ensure that they have compliant agreements in place for all business associate relationships.