A recent settlement between the US Department of Health and Human Services’ Office of Civil Rights (OCR) and an orthopedic clinic highlights the importance of executing a HIPAA business associate agreement with appropriate third party services providers. In the OCR settlement, an orthopedic clinic agreed to pay $750,000 to settle charges that it violated HIPAA’s requirements concerning the safeguarding of the protected health information (PHI) of 17,300 patients.
According to the OCR, the clinic made an oral agreement with a vendor whose business involved salvaging silver from x-ray films. In exchange for the salvaged silver, the vendor agreed to transfer the x-ray images to electronic media. The clinic failed to execute a written agreement with the vendor prior to turning over the x-ray images and patient information. Such agreements are required under HIPAA.
A business associate under HIPAA is a person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of a covered entity. If a third party services provider is provided access to or could come into contact with your organization’s PHI, it is good business practice to treat them as a business associate.
The business associate agreement or “BAA” is a contractual agreement between the covered entity and the business associate. It should:
- Describe the permitted and required uses of PHI by the business associate,
- Provide that the business associate will not use or further disclose the PHI other than as permitted or required by the contract or as required by law and
- Require the business associate to use appropriate safeguards to prevent a use or disclosure of the PHI other than as provided for by the contract.
BAAs should be executed along the lines of the chain of custody of the ePHI. As a covered entity, the orthopedic clinic should have recognized their obligation to execute a BAA with the silver-salvaging vendor prior to giving them the x-ray films and associated patient data. Likewise, if this had occurred and the silver-salvaging vendor was permitted to and decided to engage a subcontractor to scan the x-ray images, the vendor would have been obligated to execute a BAA with the subcontractor. The onus to obtain a BAA is on the entity sharing the PHI down the chain of custody.
In addition to the fine, the clinic agreed to revise its policies and procedures to:
- Establish a process for assessing whether entities are business associates,
- Designate a responsible individual to ensure business associate agreements are in place prior to disclosing PHI to a business associate,
- Create a standard template business associate agreement,
- Establish a standard process for maintaining documentation of a business associate’s agreements for at least six (6) years beyond the date of termination of a business associate relationship, and
- Limit disclosures of PHI to any business associate to the minimum necessary to accomplish the purpose for which the business associate was hired.
If your organization needs to get a business associate agreement in place with a third party services provider, see the HHS guidance and template at the following link:
Related blog post: HIPAA Record Retention Requirements: How Long Should We Retain ePHI Data?