A recently publicized settlement with the Office of Civil Rights of the U.S. Department of Health and Human Services highlights that it is not only important to have a HIPAA-compliant form of business associate agreement (BAA), but also to train staff to identify and carefully analyze when a BAA is required. In this recent case, a prominent Raleigh surgical practice agreed to pay $750,000 to settle charges that it potentially violated HIPAA by improperly disclosing several thousand patients’ protected health information (PHI) to a service provider without having first entered into a BAA with the service provider.
The practice’s failure to have a BAA in place before disclosing its patients’ PHI was clearly a violation of HIPAA’s Privacy Rule, but what makes this case particularly interesting was the nature of the services being provided—namely, the service provider had agreed to digitize the practice’s x-ray films (which contained PHI) free-of-charge in exchange for being permitted to extract and keep the silver from the film. This fact pattern highlights several important points:
-
The nature of a service provider’s services has no bearing on whether the service provider is a “business associate” under HIPAA. If a service provider “creates, receives, maintains, or transmits” PHI on behalf of a covered entity (or as a subcontractor of another business associate), then the service provider is going to be a business associate under HIPAA, and the covered entity (or the disclosing business associate) must have a BAA in place with the service provider before disclosing PHI to it. The fact that the business associate’s underlying services do not superficially seem to be health care-related (e.g., in this particular case, digitizing images) is simply not relevant to the analysis.
-
PHI comes in many forms. In this case the PHI was contained in the X-ray films, so the case emphasizes the variety of media that can be involved; and while it is unclear from the Settlement Agreement in this case, it is also worth noting that an X-ray film with nothing more to identify the patient besides the Practice’s internal patient identifier has not been de-identified under HIPAA, and so it remains PHI, requiring the Practice to get a BAA with the Service Provider.
-
The fact that transmitted PHI is going to be destroyed in the course of the service provider’s performance of its services has no impact on whether a BAA is necessary. HIPAA’s Privacy Rule does not make a distinction between disclosures to a business associate who will be maintaining the transmitted PHI versus disclosures to a business associate who will be destroying the transmitted PHI. Accordingly, the fact that the PHI included in the practice’s x-ray films would be destroyed by the service provider in the course of extracting silver from those films would not circumvent the Privacy Rule’s BAA requirement. The determinative factor with respect to the BAA requirement is the disclosure of PHI to a business associate, not the ultimate fate of the disclosed PHI.
-
It is vitally important to train personnel to identify business arrangements that will trigger BAA requirements. Developing and maintaining a HIPAA-compliant form of BAA is absolutely necessary; however, it is equally important for covered entities and business associates to train their personnel to identify arrangements that involve access to PHI, especially when the underlying services may not obviously implicate health care or PHI to an untrained observer. This kind of instruction should be included in the covered entity’s HIPAA-mandated workforce training and reflected in its privacy policies and procedures.
