HIPAA OCR Enforcement Actions against Business Associates

HHS’ Office for Civil Rights is responsible for enforcing the Privacy and Security Rules on HIPAA covered entities. Since the implementation date of the Privacy Rule in April 2003, OCR has received over 132,559 HIPAA complaints and has initiated over 887 compliance reviews. They have resolved ninety-six percent of these cases (126,920). OCR has investigated and resolved over 24,206 cases by requiring changes in privacy practices and corrective actions by, or providing technical assistance to, HIPAA covered entities and their business associates. OCR's enforcement activities have obtained significant results that have improved the privacy practices of covered entities.  The corrective actions obtained by OCR from covered entities have resulted in systemic change that has improved the privacy protection of health information for all individuals they serve.

HIPAA enforcement includes the requirement that Covered Entities (health care providers and health plans) have Business Associate Agreements with their “Business Associates.” “Business Associates” are persons or entities who “create, receive, maintain or transmit Protected Health Information (“PHI”) in performing services on behalf of a Covered Entity. Furthermore, a subcontractor of a Business Associate that creates, receives, maintains or transmits PHI on behalf of a Business Associate is also a “Business Associate.” Both Covered Entities and Business Associates are directly liable for failing to have a compliant Business Associate Agreement in place. In addition, Business Associates must have Business Associate Agreements with their subcontractors who create, receive, maintain or transmit PHI on behalf of a Business Associate.

As a settlement, an agreement is signed by HHS and a covered entity or business associate in which the covered entity or business associate agrees to perform certain obligations and reports to HHS, generally for a period of three years. During the period, HHS monitors the covered entity or Business Associate’s compliance with its obligations. A resolution agreement may include the payment of a resolution amount. If HHS cannot reach a satisfactory resolution through the covered entity’s demonstrated compliance or corrective action through other informal means, including a resolution agreement, civil money penalties (CMPs) may be imposed for noncompliance against a covered entity.  Three recent cases of OCR enforcement for failure to have a required Business Associate Agreement include:

1. $1.55 million settlement underscores the importance of executing HIPAA business associate agreements

North Memorial Health Care has agreed to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to implement a business associate agreement with a major contractor and failing to institute an organization-wide risk analysis to address risks and vulnerabilities to its patient information.  North Memorial is a comprehensive, not-for-profit health care system in Minnesota that serves the Twin Cities and surrounding communities.  The settlement includes a monetary payment of $1,550,000 and a robust corrective action plan.

• The data breach involved the theft of a laptop computer from a business associate of North Memorial.
• The laptop was stolen from the employee’s vehicle, and while the device was password-protected, the ePHI stored on the device had not been encrypted.
• The business associate, Accretive Health, Inc., had been contracted to perform a number of payment and healthcare operations on behalf of North Memorial. And was given access to a hospital database containing the ePHI of 289,904 patients. Non-electronic copies of patient health information were also provided to the BA.
• Prior to access to patient data being granted, North Memorial had not obtained a signed copy of a HIPAA-compliant business associate agreement (BAA).
• This contributed to the cause of breach of 9,497 patient health records.

More Information….

2. $750,000 settlement highlights the need for HIPAA business associate agreements

Raleigh Orthopaedic Clinic, P.A. of North Carolina (Raleigh Orthopaedic) has agreed to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to execute a business associate agreement prior to turning over PHI of 17,300 to a potential business partner.  Raleigh Orthopaedic is a provider group practice that operates clinics and orthopaedic surgery center in the Raleigh, North Carolina area.  The settlement includes a monetary payment of $750,000 and a robust corrective action plan.

• Raleigh Orthopaedic had agreed to provide a potential business associate (BA) with X-Ray films in order to have images transferred to a digital format.
• The company was allowed to recycle the original films to recover the silver after the images had been transferred to an electronic format.
• The agreement was reached over the telephone and no BAA was obtained.
• The violation was that Raleigh Orthopaedic handed over protected health information (PHI) of 17,300 patients without issuing a BAA.

More Information…..

3. Triple-S Management Corporation Settles HHS Charges by Agreeing to $3.5 Million HIPAA Settlement

Triple-S Management Corporation (“TRIPLE-S”), on behalf of its wholly owned subsidiaries, Triple-S Salud Inc., Triple-C Inc. and Triple-S Advantage Inc. , formerly known as American Health Medicare Inc.,  has agreed to pay $3.5 million to settle OCR charges of multiple violations, including “impermissible disclosure of its beneficiaries’ PHI to an outside vendor without having a required Business Associate Agreement in place.”

• Triple-S, a health insurance holding company in Puerto Rico, has graced the Wall of Shame multiple times. First in connection with a hacked server, second in connection with a data breach consisting of mailing materials to members with insurance identification numbers visible on the outside of envelopes, and third one was due to impermissible disclosure of its beneficiaries’ PHI to an outside vendor with which it did not have an appropriate business associate agreement;
• Twice, an outside vendor disclosed PHI on a pamphlet that was mailed to beneficiaries.  TRIPLE-S did not have a BAA with the vendor.

More Information…