EBIA Weekly Newsletter

Two More HIPAA Resolution Agreements Focus on Identifying Business Associates and Limiting Disclosures to Media

   May 12, 2016

Resolution Agreement: Raleigh Orthopaedic Clinic, P.A. (Apr. 14, 2016); Resolution Agreement: The New York and Presbyterian Hospital (Apr. 19, 2016)

Raleigh Resolution Agreement

Raleigh Press Release

New York Resolution Agreement

New York Press Release

HHS’s Office for Civil Rights (OCR) has announced two more resolution agreements settling potential HIPAA privacy and security violations. The first resolution agreement resulted from a health care provider’s provision of X-rays and related protected health information (PHI) to a third-party vendor that agreed to transfer the images to electronic media in exchange for harvesting the silver from the X-ray films. OCR began an investigation after receiving a breach report indicating improper disposal or disclosure of PHI affecting 17,300 individuals. In addition to a $750,000 settlement payment, the covered entity is required to revise its policies and procedures to establish a process for assessing whether entities are business associates; designate a responsible individual to ensure business associate contracts are in place before disclosing PHI to a business associate; create a standard business associate contract; establish a standard process to maintain business associate contracts for at least six years after termination of a business associate relationship; and limit disclosures to business associates to the minimum necessary PHI. [EBIA Comment: In its recently updated protocol for phase 2 audits (see our Checkpoint article), OCR emphasized these same compliance steps. Covered entities and business associates should take heed.]

The second resolution agreement resulted from a hospital’s disclosures of PHI—without first obtaining HIPAA-compliant authorizations from patients—during the filming of a network television series. In addition to a $2.2 million settlement payment, the covered entity entered into a corrective action plan, which, among other things, prohibits use or disclosure of PHI—for purposes not related to providing medical care—to anyone involved in audio or video recordings or photography. [EBIA Comment: In its news release, OCR said the hospital “blatantly” violated HIPAA’s rules by allowing individuals receiving urgent medical care to be filmed without their authorization and noted that individuals’ images are considered PHI. In addition, OCR found that film crews’ “virtually unfettered” access to the facility created an environment in which PHI could not be protected from impermissible disclosure. While the day-to-day operations of most employer-sponsored health plans and their business associates seem unlikely to pique the interest of television producers, this resolution agreement is still a good reminder that HIPAA requires access controls to ensure that only authorized individuals are able to access PHI.]

EBIA Comment: Even as OCR gears up for phase 2 of its audit program, the steady flow of resolution agreements suggests that many covered entities continue to fall short on the HIPAA basics. With OCR’s increased emphasis on compliance and enforcement, now is a good time for covered entities and business associates to undertake a compliance check-up. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XX.C (“HIPAA Compliance Audits by OCR”), XX.D (“Resolution Agreements”), XXIV.A (“What Is a Business Associate?”), XXVI.H (“‘Minimum-Necessary’ Standard”), and XXX.C (“Core Security Requirements: Physical Safeguards”). You may also be interested in our recorded webinar “HIPAA Basic Training: Get Your Privacy and Security Compliance on Track for

Contributing Editors: EBIA Staff.