The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that it reached a $750,000 HIPAA settlement with Raleigh Orthopedic Clinic, P.A. The Raleigh, North Carolina-based provider group practice runs several clinics and an orthopedic surgery center. The HIPAA settlement was reached after the protected health information (PHI) of 17,300 patients was unlawfully transmitted to a Business Associate (BA) without having executed a proper Business Associate Agreement (BAA).

Under HIPAA, covered entities (CEs) are prohibited from disclosing PHI to BAs without a BAA in place that outlines the necessary safeguards that need to be maintained during the use or transmission of PHI.

OCR began its investigation of Raleigh Orthopedic after a breach was reported in 2013. The investigation revealed that Raleigh Orthopedic had disclosed the x-rays and associated PHI of 17,300 patients to an organization that was hired to digitize the images. Raleigh Orthopedic failed to execute a BAA, and in doing so exposed their patients’ PHI to the BA they were working with.

“HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise,” said OCR Director, Jocelyn Samuels. “It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.”

Raleigh Orthopedic is expected to pay a $750,000 HIPAA settlement and revise its policies and procedures, specifically in regard to hiring and vetting BAs and executing BAAs.

Doctors and CEs who do business with digitizing and electronic storage services need to take specific measures to ensure that their patients’ privacy is being maintained at all times. Any time a CE pays a service to handle PHI, they are engaging with a BA and are beholden to the full extent of the HIPAA Privacy Rule, as well as the rest of federal regulations surrounding the use and disclosure of PHI.