Business Associate Rule Violations Behind $750K HIPAA Settlement

Health Plans, Sponsors & Business Associates Should Verify Plan’s HIPAA Compliance

Employers and other health plan sponsors and the health plan fiduciaries and business associates providing services involving dealings on behalf of the plan with protected health information just received another reminder to confirm and be prepared to prove all required business associate agreements are in place and that the health plans otherwise properly are administering all policies, practices, safeguards and procedures for handling, using and disclosing electronic and other protected health information from the April 20, 2016 Department of Health & Human Services Office of Civil Rights (OCR) announcement of its latest resolution agreement settling Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rule charges OCR made against a HIPAA-covered entity for violating HIPAA’s business associate agreement rules.

OCR Charges Brought For Business Associate Agreement Violations

HIPAA’s Privacy Rules generally apply to “covered entities,” which under HIPAA are health plans and insurers, health care providers, health care clearinghouses (Covered Entities) and “business associates,” which are individuals or entities that perform services that aid the  Covered Entity to perform its duties as a Covered Entity.

The Resolution Agreement and Corrective Action Plan (Resolution Agreement) with Raleigh Orthopaedic Clinic, P.A. of North Carolina (Raleigh Orthopaedic) announced by OCR on April 20th requires Raleigh Orthopaedic to pay $750,000 to settle  charges OCR it violated the Privacy Rule by handing over protected health information of approximately 17,300 patients to a potential business partner without first executing a business associate agreement.

Raleigh Orthopaedic is a provider group practice that operates clinics and a surgery center in the Raleigh, North Carolina area. OCR initiated its investigation of Raleigh Orthopaedic after receiving a breach report on April 30, 2013.  OCR’s investigation indicated that Raleigh Orthopaedic violated the Privacy Rules by releasing the x-ray films and related protected health information of 17,300 patients to an entity that promised to transfer the images to electronic media in exchange for harvesting the silver from the x-ray films.  Raleigh Orthopaedic failed to execute a business associate agreement with this entity before turning over the x-rays and PHI.

OCR says this sharing of the x-ray files and other protected health information by Raleigh Orthopaedic violated the Privacy Rules.

Specifically, the Privacy Rules prohibit Covered Entities and their business associates from using, accessing and disclosing protected health information except as specifically permitted in the Privacy Rules. As part of these rules, the “Business Associate” requirements of the Privacy Rule prohibit Covered Entities from disclosing or allowing business associates to use, and business associates from receiving or using protected health information unless the parties first enter into a written business associate agreement that complies with the requirements of the Privacy Rules.

The Resolution Agreement settles OCR charges that Raleigh Orthopaedic violated this Business Associate Agreement requirement by sharing the x-rays and other protected health information with the service provider without first entering a business associate agreement. Under the Settlement Agreement, Raleigh Orthopaedic must pay a $750,000 payment, as well as revise its policies and procedures to: establish a process for assessing whether entities are business associates; designate a responsible individual to ensure  business associate agreements are in place prior to disclosing PHI to a business associate; create a standard template business associate agreement; establish a standard process for maintaining documentation of a business associate agreements for at least six (6) years beyond the date of termination of a business associate relationship; and limit disclosures of PHI to any business associate to the minimum necessary to accomplish the purpose for which the Covered Entity hires the business associate.

Although the Resolution Agreement only addresses charges OCR brought against the Covered Entity, Raleigh Orthopaedic, business associates need to keep in mind that both Covered Entities and business associates now are responsible for ensuring compliance with the business associate agreement requirements of the Privacy Rules since the Stimulus Bill amended HIPAA to make most provisions of the Privacy Rule directly applicable to business associates as well as Covered Entities.

 Take Aways For Covered Entities & Their Business Associates 

OCR’s announcement of the Resolution Agreement includes a strong message for other Covered Entities and business associates of the importance of taking seriously their responsibility under the Privacy Rule to ensure that the business associate agreement requirements of the Privacy Rule are met before business associates are allowed to receive, access or use protected health information. The announcement quotes Jocelyn Samuels, Director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) as stating.  “It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.” and “HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise.”

In light of the Business Associate Rule and Director Samuels’ comments, Covered Entities and business associates alike should review the adequacy of their documentation, policies and practices regarding dealings with service providers who are or could collect, receive or use electronic or other protected health information to propose or perform services in the capacity as a business associate. Certainly both Covered Entities and business associates to ensure that they possess and are able to produce if needed signed business associate agreements for each current business associate agreement as well as that appropriate policies, practices and procedures are in place to ensure that all required business associate agreements are implemented before any disclosure or use of protected health information to the business associate in the future.  As part of these activities, both Covered Entities and business associates also should ensure their policies and practices appropriately provide for the retention of signed copies of all business associate agreements and other records, and the implementation of all other processes and procedures required to position the entity to be able to demonstrate it not only had policies requiring compliance, but appropriately implemented and administered those policies in accordance with the Privacy Rule.

When conducting this review, Covered Entities and business associates also generally should consider the advisability of also reviewing their business associate agreements and the adequacy of these arrangements in light of any other contractual confidentiality and or contractual rights and commitments, regulatory requirements and other operational and risk management concerns that impact or interrelate with the relationship between the business associate and the Covered Entity. It is important to ensure that appropriate steps are taken to evaluate and properly integrate the confidentiality and other commitments that the Privacy Rules mandate a business associate agreement include with audit, performance assessment, and other data access or disclosure, trade secrets, confidentiality, performance standards and guarantees, indemnity and other contractual obligations of other agreements that could impact or be impacted  by the business associate agreements. Steps also should be taken to incorporate appropriate processes and procedures for ensuring that the Covered Entity and members of its workforce understand and consistently administer and document their use of appropriate processes to ensure that the business associate agreement and other requirements of the Privacy Rules are fulfilled.  In the case of employer sponsored plans subject to the Employee Retirement Income Security Act of 1974, for instance, the selection and proper oversight of business associates and the management of plan data both are subject to the fiduciary responsibility rules of ERISA.  Meanwhile, insurers, business associates and other plan vendors also generally should anticipate that beyond HIPAA, they also may be subject to data security, privacy and other mandates and exposures under state HIPAA-like rules for protected health information, as well as other obligations under insurance, data security, identity theft, breach, privacy and other state laws.

The process of evaluating the adequacy of current arrangement and considering the advisability of changes to tighten existing practices in many cases will result in the discovery and discussion of potentially sensitive information about the adequacy of current or past compliance with the Privacy Rules or other matters. For example, it is possible that in the course of review, parties may be unable to locate a signed business associate agreement governing a relationship that the Privacy Rules require be subject to a business associate agreement or in the course of review, information indicating breaches of protected health information or other Privacy Rule violations may have occurred.  For this reason, most Covered Entities and their business associates will want to consider arranging for this review and analysis to be conducted within the scope of attorney-client privilege by or under the direction of qualified legal counsel with HIPAA experience that has entered into a business associate agreement with the Covered Entity or business associate.

About The Author

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Cynthia Marcotte Stamer is a noted Texas-based management lawyer and consultant, author, lecturer and policy advocate, recognized as among the “Top Rated Labor & Employment Lawyers in Texas” by LexisNexis® Martindale-Hubbell® and as among the “Best Lawyers In Dallas” for her work in the field of “Tax: Erisa & Employee Benefits” and “Health Care” by D Magazine who works, writes and speaks extensively about HIPAA and other data privacy and security concerns.

Ms. Stamer’s legal and management consulting work throughout her career has focused on helping organizations and their management use the law and process to manage people, process, compliance, operations and risk. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer helps public and private, domestic and international businesses, governments, and other organizations and their leaders manage their employees, vendors and suppliers, and other workforce members, customers and other’ performance, compliance, compensation and benefits, operations, risks and liabilities, as well as to prevent, stabilize and cleanup workforce and other legal and operational crises large and small that arise in the course of operations.

Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, Ms. Stamer helps management manage. Ms. Stamer works with businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce management operations and compliance. She supports her clients both on a real time, “on demand” basis and with longer term basis to deal with daily performance management and operations, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy.  Well-known for her extensive work with health care, insurance and other highly regulated entities on corporate compliance, internal controls and risk management, her clients range from highly regulated entities like employers, contractors and their employee benefit plans, their sponsors, management, administrators, insurers, fiduciaries and advisors, technology and data service providers, health care, managed care and insurance, financial services, government contractors and government entities, as well as retail, manufacturing, construction, consulting and a host of other domestic and international businesses of all types and sizes.  Common engagements include internal and external workforce hiring, management, training, performance management, compliance and administration, discipline and termination, and other aspects of workforce management including employment and outsourced services contracting and enforcement, sentencing guidelines and other compliance plan, policy and program development, administration, and defense, performance management, wage and hour and other compensation and benefits, reengineering and other change management, internal controls, compliance and risk management, communications and training, worker classification, tax and payroll, investigations, crisis preparedness and response, government relations, safety, government contracting and audits, litigation and other enforcement, and other concerns.

A Fellow in the American College of Employee Benefit Counsel, Ms. Stamer uses her deep and highly specialized knowledge and experience to help employers and other employee benefit plan sponsors; health, pension and other employee benefit plans, their fiduciaries, administrators and service providers, insurers, and others design legally compliant, effective compensation, health and other welfare benefit and insurance, severance, pension and deferred compensation, private exchanges, cafeteria plan and other employee benefit, fringe benefit, salary and hourly compensation, bonus and other incentive compensation and related programs, products and arrangements. She is particularly recognized for her leading edge work, thought leadership and knowledgeable advice and representation on the design, documentation, administration, regulation and defense of a diverse range of self-insured and insured health and welfare benefit plans including private exchange and other health benefit choices, health care reimbursement and other “defined contribution” limited benefit, 24-hour and other occupational and non-occupational injury and accident, ex-patriate and medical tourism, onsite medical, wellness and other medical plans and insurance benefit programs as well as a diverse range of other qualified and nonqualified retirement and deferred compensation, severance and other employee benefits and compensation, insurance and savings plans, programs, products, services and activities. As a key element of this work, Ms. Stamer works closely with employer and other plan sponsors, insurance and financial services companies, plan fiduciaries, administrators, and vendors and others to design, administer and defend effective legally defensible employee benefits and compensation practices, programs, products and technology. She also continuously helps employers, insurers, administrative and other service providers, their officers, directors and others to manage fiduciary and other risks of sponsorship or involvement with these and other benefit and compensation arrangements and to defend and mitigate liability and other risks from benefit and liability claims including fiduciary, benefit and other claims, audits, and litigation brought by the Labor Department, IRS, HHS, participants and beneficiaries, service providers, and others.  She also assists debtors, creditors, bankruptcy trustees and others assess, manage and resolve labor and employment, employee benefits and insurance, payroll and other compensation related concerns arising from reductions in force or other terminations, mergers, acquisitions, bankruptcies and other business transactions including extensive experience with multiple, high-profile large scale bankruptcies resulting in ERISA, tax, corporate and securities and other litigation or enforcement actions.

Throughout her career, Ms. Stamer has advised these and other clients about health care, health plan, financial information, trade secret, privacy and other related compliance, data breach response and remediation and related compliance, risk management and related concerns.  In the course of this work, Ms. Stamer has accumulated an impressive resume of experience advising and representing clients on HIPAA and other privacy and data security concerns. The scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits annual agency meeting with the Department of Health & Human Services Office of Civil Rights for several years, Ms. Stamer has worked extensively with health plans, health care providers, health care clearinghouses, their business associates, employer and other sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA and other information privacy and data security rules, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health plans, health insurers, health care providers, banking, technology and other vendors, and others.

Beyond advising these and other clients on privacy and data security compliance, risk management, investigations and data breach response and remediation and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She also is the author of numerous highly acclaimed publications, workshops and tools for HIPAA or other compliance including training programs on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

Ms. Stamer also is deeply involved in helping to influence the Affordable Care Act and other health care, pension, social security, workforce, insurance and other policies critical to the workforce, benefits, and compensation practices and other key aspects of a broad range of businesses and their operations. She both helps her clients respond to and resolve emerging regulations and laws, government investigations and enforcement actions and helps them shape the rules through dealings with Congress and other legislatures, regulators and government officials domestically and internationally.  A former lead consultant to the Government of Bolivia on its Social Security reform law and most recognized for her leadership on U.S. health and pension, wage and hour, tax, education and immigration policy reform, Ms. Stamer works with U.S. and foreign businesses, governments, trade associations, and others on workforce, social security and severance, health care, immigration, privacy and data security, tax, ethics and other laws and regulations. Founder and Executive Director of the Coalition for Responsible Healthcare Policy and its PROJECT COPE: the Coalition on Patient Empowerment and a Fellow in the American Bar Foundation and State Bar of Texas, Ms. Stamer annually leads the Joint Committee on Employee Benefits (JCEB) HHS Office of Civil Rights agency meeting and other JCEB agency meetings.  She also works as a policy advisor and advocate to many business, professional and civic organizations.

Author of the thousands of publications and workshops these and other employment, employee benefits, health care, insurance, workforce and other management matters, Ms. Stamer also is a highly sought out speaker and industry thought leader known for empowering audiences and readers.  Ms. Stamer’s insights on employee benefits, insurance, health care and workforce matters in Atlantic Information Services, The Bureau of National Affairs (BNA),, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, Modern Healthcare, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA,, Employee Benefit News, and many other prominent publications. Ms. Stamer also regularly serves on the faculty and planning committees for symposia of LexisNexis, the American Bar Association, ALIABA, the Society of Employee Benefits Administrators, the American Law Institute, ISSA, HIMMs, and many other prominent educational and training organizations and conducts training and speaks on these and other management, compliance and public policy concerns.  She will share updates on HIPAA and other health care and data security concerns when returns to speak and chair at the 4th Annual Healthcare Privacy and Security Forum scheduled on May 20, 2016 in Los Angeles.

Beyond these involvements, Ms. Stamer also is active in the leadership of a broad range of other professional and civic organizations. For instance, Ms. Stamer presently serves on an American Bar Association (ABA) Joint Committee on Employee Benefits Council representative; Vice President of the North Texas Healthcare Compliance Professionals Association; Immediate Past Chair of the ABA RPTE Employee Benefits & Other Compensation Committee, its current Welfare Benefit Plans Committee Co-Chair, on its Substantive Groups & Committee and its incoming Defined Contribution Plan Committee Chair and Practice Management Vice Chair; Past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and a current member of its Healthcare Coordinating Council; current Vice Chair of the ABA TIPS Employee Benefit Committee; the former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division; on the Advisory Boards of,, Employee Benefit News, and many other publications. She also previously served as a founding Board Member and President of the Alliance for Healthcare Excellence, as a Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; the Board President of the early childhood development intervention agency, The Richardson Development Center for Children; Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a member of the Board of Directors of the Southwest Benefits Association. For additional information about Ms. Stamer, see here or contact Ms. Stamer directly by email here or by telephone at (469) 767-8872.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also may be interested reviewing other Solutions Law Press, Inc.™ resources at such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile at here.

©2016 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press. All other rights reserved.

Comments are closed.

%d bloggers like this: