Consistent with the settlement the OCR agreed to with North Memorial Health Care of Minnesota, [view related post] the Office for Civil Rights has settled its investigation of Raleigh Orthopaedic Clinic, P.A. (Raleigh Orthopaedic) for $750,000. The OCR alleged that Raleigh Orthopaedic “potentially” violated HIPAA “by handing over protected health information for approximately 17,300 patients to a potential business partner without first executing a business associate agreement.”

The investigation commenced following a self-report of a data breach from April 30, 2013. The investigation showed that Raleigh Orthopedic intended to give X-Ray films to a third party to transfer the images to electronic media and then harvest the silver from the films. Raleigh handed over the X-Rays to the third party without entering into a business associate agreement with the third party.

On top of the fine, Raleigh Orthopaedic must “establish a process for assessing whether entities are business associates…” among other requirements.

The lesson from this case is to focus on vendor relationships and vendor management, including implementing a process that any vendor or third party that is going to receive PHI execute a business associate agreement. Other important considerations for vendor management include, but is not limited to, review of the vendor’s data privacy and security practices, the vendor’s risk assessments and risk management, confirmation of insurance and indemnification obligations.