A recently publicized settlement with the Office of Civil Rights of the U.S. Department of Health and Human Services highlights that it is not only important to have a HIPAA-compliant form of business associate agreement (BAA), but also to train staff to identify and carefully analyze when a BAA is required. In this recent case, a prominent Raleigh surgical practice agreed to pay $750,000 to settle charges that it potentially violated HIPAA by improperly disclosing several thousand patients’ protected health information (PHI) to a service provider without having first entered into a BAA with the service provider.

The practice’s failure to have a BAA in place before disclosing its patients’ PHI was clearly a violation of HIPAA’s Privacy Rule, but what makes this case particularly interesting was the nature of the services being provided—namely, the service provider had agreed to digitize the practice’s x-ray films (which contained PHI) free-of-charge in exchange for being permitted to extract and keep the silver from the film. This fact pattern highlights several important points:

The attorneys in Poyner Spruill’s Health Care and Privacy and Information Security Practice Groups have expertise in HIPAA compliance matters, including analyzing when a BAA is necessary and drafting and negotiating BAAs for covered entities and business associates.

Physical Address: 301 Fayetteville Street, Suite 1900, Raleigh, NC 27601 | © Poyner Spruill LLP. All rights reserved.

◀︎ Back to Thought Leadership