Federal HHS investigators found that Raleigh Orthopaedic was less than transparent with its handling of over 17,000 patient x-ray records. Raleigh administrators figured it was time to go digital, so they subcontracted the job to a third party, who agreed to transfer the x-rays to electronic media in exchange for harvesting the silver from the x-ray film.
Raleigh Orthopaedic got the worse of that business deal, which failed to follow federal medical records disclosure laws. Raleigh Orthopaedic turned over all those x-ray films, but failed to complete a business associate agreement specifying the third party’s responsibilities for safeguarding the patient records. Said agreement is required under HIPAA — the Health Insurance Portability and Accountability Act of 1996.
So Raleigh Orthopaedic received a hard HIPAA lesson and agreed to a $750,000 “settlement agreement.” They may have gotten off easy, because HIPAA provides maximum penalties of up to $1.5 million. In any case, they still weren’t finished. The settlement included a corrective action plan, which is really a plan of action to do everything required by the HIPAA Security Rule as regards third party vendors.
Third party vendors actually become so-called covered entities when they do subcontracting work for other medical organizations. Let’s review general HIPAA requirements:
Who is regulated — i.e., considered a covered entity — by the law
Your organization is considered a covered entity if it:
- Provides direct healthcare to patients and processes or transmits any medical information electronically
- Administers or provides a health coverage plan
- Acts as a healthcare clearing house — i.e., processes electronic information received from another source
Covered entity responsibilities under HIPAA
If your organization handles private health information, the requirements are straightforward:
- You must maintain the integrity and privacy of records in your custody.
- You must anticipate and take positive measures against security threats and potential information breaches.
- You must make sure your employees are aware of what constitutes unauthorized disclosure or impermissible use of the records.
Positive steps covered entities must take under HIPAA
The HIPAA Security Rule, among other things, requires the following actions:
- Data breach prevention measures thoroughly a risk analysis and a program involving management
- Designating a specific individual in the organization responsible for enforcing security procedures, along with a specific list of authority and responsibility to ensure HIPAA compliance
- Ensuring workstation and computer security through physical safeguards
- Control of information access and processing through reliable technical safeguards — passwords, designated access levels, etc.
Read more about third-party vendors’ responsibilities in this CSO online article.
Lesson learned
Raleigh Orthopaedic, a for-profit medical organization, transferred a business function to a third party, but could not transfer liability. A business associate agreement would have informed their vendor that the vendor was required by law to abide by the same standards as any health organization.
Need some help with HIPAA compliance?
If you handle, transmit or process electronic personal health information, you need to stay ahead of the HIPAA power curve. QualityIP is the trusted choice when it comes to staying ahead of the latest information technology tips, tricks, and HIPAA compliance news. Contact us at (330) 931-4141 or send us an email at [email protected] for more information.