Another HIPAA settlement ($750K) for lack of business associate agreement

Blog Post

Yesterday, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced another HIPAA settlement with a covered entity for failure to enter into a business associate agreement.

Raleigh Orthopaedic Clinic, P.A. (“Raleigh Orthopaedic”) agreed to pay $750,000 and enter into a Corrective Action Plan for allowing a vendor to access x-ray films containing protected health information (PHI) without first executing a business associate agreement. Pursuant to its arrangement with the vendor, Raleigh Orthopaedics allowed the vendor to harvest the silver from the x-ray films in exchange for transferring the x-rays into electronic media.

This settlement follows closely on the heels of settlements announced by OCR last month with North Memorial Health Care ($1.55 million) and in November 2015 with Triple-S Management Corporation ($3.5 million) for violations including failure to enter into business associate agreements.

The Raleigh Orthopaedic settlement provides another reminder that covered entities (as well as business associates) need to ensure that an appropriate business associate agreement is in place with respect to each business associate relationship as required under the HIPAA Privacy and Security Rules, keeping in mind that some terms are required and others are negotiable.

Emily A. Johnson contributed to this article.

Jump to Page

McDonald Hopkins uses cookies on our website to enhance user experience and analyze website traffic. Third parties may also use cookies in connection with our website for social media, advertising and analytics and other purposes. By continuing to browse our website, you agree to our use of cookies as detailed in our updated Privacy Policy and our Terms of Use.