April 20th, the Office of Civil Rights (OCR) announced a$750,000 HIPAA Privacy Rule settlement with an orthopedic practice that failed to enter a business associate agreement (BAA) with a business associate. A breach report revealed that the orthopedic practice gave x-ray information for more than 17,000 patients to a company that transfers x-ray images to electronic media, and then harvests the silver on the x-ray films. The problem with this arrangement is that the electronic media company had access to the practice’s PHI – and yet there was not a business associate agreement in place. While we don’t know how this particular problem happened, often these types of HIPAA violations occur when officers and managers work without talking to each other. For example, a new employee in the medical records department releases records without a proper authorization, because they didn’t think to ask the Privacy Officer what to do. Or, IT and the Administrator decide to buy new computers, without discussing encryption and other security measures with the Security Officer. Or, a department head sends PHI out for storage or processing without asking the Privacy Officer for a BAA. What You Can Do:
- Remove Communication Barriers. Structure your contracting and purchasing process so that your Privacy and Security Officers have a seat at the table BEFORE decisions are made. Likewise, recognize that individuals making changes to technology or processes need to communicate changes to your HIPAA and compliance officers, so risk can be assessed and management programs can be implemented.
- Use your compliance committee meetings wisely. Does your compliance committee meet quarterly, and listen while the compliance officer reads the meeting agenda? If there’s no discussion, you have a missed opportunity. Use these meetings to share information about emerging risks and upcoming contracts and deals. By getting committee members in the habit of including each other in big decisions, you can avoid costly communication breakdowns.
- Implement a BAA management system. Are you confident that all business associates have an up-to-date BAA in place? There should be a spreadsheet inventory of every business associate, and the date the BAA was in place. Also use a business associate due diligence process to monitor business associates’ HIPAA practices and ensure your PHI is safe.