Federal HHS investigators found that Raleigh Orthopaedic was less than transparent with its handling of over 17,000 patient x-ray records. Raleigh administrators figured it was time to go digital, so they subcontracted the job to a third party, who agreed to transfer the x-rays to electronic media in exchange for harvesting the silver from the x-ray film.
Raleigh Orthopaedic got the worse of that business deal, which failed to follow federal medical records disclosure laws. Raleigh Orthopaedic turned over all those x-ray films, but failed to complete a business associate agreement specifying the third party’s responsibilities for safeguarding the patient records. Said agreement is required under HIPAA — the Health Insurance Portability and Accountability Act of 1996.
So Raleigh Orthopaedic received a hard HIPAA lesson and agreed to a $750,000 “settlement agreement.” They may have gotten off easy, because HIPAA provides maximum penalties of up to $1.5 million. In any case, they still weren’t finished. The settlement included a corrective action plan, which is really a plan of action to do everything required by the HIPAA Security Rule as regards third party vendors.
Third party vendors actually become so-called covered entities when they do subcontracting work for other medical organizations. Let’s review general HIPAA requirements:
Who is regulated — i.e., considered a covered entity — by the law
Your organization is considered a covered entity if it:
Covered entity responsibilities under HIPAA
If your organization handles private health information, the requirements are straightforward:
Positive steps covered entities must take under HIPAA
The HIPAA Security Rule, among other things, requires the following actions:
Read more about third-party vendors’ responsibilities in this CSO online article.
Lesson learned
Raleigh Orthopaedic, a for-profit medical organization, transferred a business function to a third party, but could not transfer liability. A business associate agreement would have informed their vendor that the vendor was required by law to abide by the same standards as any health organization.
Need some help with HIPAA compliance?
If you handle, transmit or process electronic personal health information, you need to stay ahead of the HIPAA power curve. 403Tech Inc is the trusted choice when it comes to staying ahead of the latest information technology tips, tricks, and HIPAA compliance news. Contact us at (403) 215-7506 or send us an email at [email protected] for more information.
403Tech is one of the Top 50 Managed IT services companies in Canada.