Doctor concerned with health care law

Breaking news and expert analysis on legal and compliance issues

[Back To Home][Back To Archives]

From Health Law Daily, April 20, 2016

Clinic learns to protect PHI the hard way with $750,000 settlement

By Bryant Storm, J.D.

Raleigh Orthopaedic Clinic, P.A. entered into a $750,000 settlement agreement with HHS to resolve allegations that the provider group practice violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (P.L 104-191Privacy Rule by handing over the protected health information (PHI) of nearly 17,300 patients to a potential business partner without first executing a business associate (BA) agreement (BAA) with that partner. Raleigh Orthopaedic is required under the settlement agreement to revise and implement BA policies to enhance PHI protections and to prevent further breaches (Settlement Agreement, October 15, 2015).

Breach. The HHS Office for Civil Rights (OCR) received a breach report concerning Raleigh Orthopaedic on April 30, 2015, and initiated an investigation. The OCR determined that Raleigh Orthopaedic gave a third party access to 17,300 patients’ x-ray films and related PHI. The third party agreed to transfer the images to electronic media in exchange for harvesting the silver from the x-ray films. Raleigh Orthopaedic did not enter into a BAA with the x-ray transfer company prior to handing over the x-rays. HIPAA requires that covered entities obtain BAAs containing assurances that the PHI will be protected by business partners that handle PHI. The agency offers model BAAs to help covered entities meet that obligation.

Settlement. Under the settlement agreement, in addition to paying $750,000 to settle the HIPAA charges, Raleigh Orthopedic agreed to revise its BA policies and procedures. Specifically, the clinic agreed to establish a procedure for identifying when and whether an entity qualifies as a BA and to designate an individual as responsible for ensuring that BAAs are in place prior to PHI disclosures. The agreement also requires the clinic to create a BAA template, establish a document maintenance process for BAAs, and limit PHI disclosures to BAs to the minimum disclosure necessary to accomplish the purpose of the association with the BA.

Companies: Raleigh Orthopaedic Clinic, P.A.

MainStory: TopStory EHRNews HITNews HIPAANews ProgramIntegrityNews

Back to Top

Health Law Daily

Introducing Wolters Kluwer Health Law Daily — a daily reporting service created by attorneys, for attorneys — providing same-day coverage of breaking news, court decisions, legislation, and regulatory activity.


A complete daily report of the news that affects your world

  • View full summaries of federal and state court decisions.
  • Access full text of legislative and regulatory developments.
  • Customize your daily email by topic and/or jurisdiction.
  • Search archives for stories of interest.

Not just news — the right news

  • Get expert analysis written by subject matter specialists—created by attorneys for attorneys.
  • Track law firms and organizations in the headlines with our new “Who’s in the News” feature.
  • Promote your firm with our new reprint policy.

24/7 access for a 24/7 world

  • Forward information with special copyright permissions, encouraging collaboration between counsel and colleagues.
  • Save time with mobile apps for your BlackBerry, iPhone, iPad, Android, or Kindle.
  • Access all links from any mobile device without being prompted for user name and password.