Lack of BA Agreement Costs Clinic $750,000
Marianne Kolbasuk McGee (HealthInfoSec) • April 20, 2016
A North Carolina orthopedic clinic will pay a $750,000 penalty as part of a breach-related settlement involving the release of 17,300 X-ray films containing protected health information to a vendor without having a business associate agreement in place, as required under HIPAA.
The Department of Health and Human Services’ Office for Civil Rights says in a April 19 statement that the settlement with Raleigh Orthopaedic Clinic, which operates clinics and an orthopedic surgery center in Raleigh, N.C., spotlights the importance of executing a BA agreement before turning over PHI to third-party vendors.
“HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise,” Jocelyn Samuels, director of OCR, said in the statement. “It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.”
See Also: Rethinking Endpoint Security