Federal HHS investigators found that Raleigh Orthopaedic was less than transparent with its handling of over 17,000 patient x-ray records. Raleigh administrators figured it was time to go digital, so they subcontracted the job to a third party, who agreed to transfer the x-rays to electronic media in exchange for harvesting the silver from the x-ray film.
Raleigh Orthopaedic got the worse of that business deal, which failed to follow federal medical records disclosure laws. Raleigh Orthopaedic turned over all those x-ray films, but failed to complete a business associate agreement specifying the third party’s responsibilities for safeguarding the patient records. Said agreement is required under HIPAA — the Health Insurance Portability and Accountability Act of 1996.
So Raleigh Orthopaedic received a hard HIPAA lesson and agreed to a $750,000 “settlement agreement.” They may have gotten off easy, because HIPAA provides maximum penalties of up to $1.5 million. In any case, they still weren’t finished. The settlement included a corrective action plan, which is really a plan of action to do everything required by the HIPAA Security Rule as regards third party vendors.
Third party vendors actually become so-called covered entities when they do subcontracting work for other medical organizations. Let’s review general HIPAA requirements:
Who is regulated — i.e., considered a covered entity — by the law
Your organization is considered a covered entity if it:
Provides direct healthcare to patients and processes or transmits any medical information electronically
Administers or provides a health coverage plan
Acts as a healthcare clearing house — i.e., processes electronic information received from another source
Covered entity responsibilities under HIPAA
If your organization handles private health information, the requirements are straightforward:
You must maintain the integrity and privacy of records in your custody.
You must anticipate and take positive measures against security threats and potential information breaches.
You must make sure your employees are aware of what constitutes unauthorized disclosure or impermissible use of the records.
Positive steps covered entities must take under HIPAA
The HIPAA Security Rule, among other things, requires the following actions:
Data breach prevention measures thoroughly a risk analysis and a program involving management
Designating a specific individual in the organization responsible for enforcing security procedures, along with a specific list of authority and responsibility to ensure HIPAA compliance
Ensuring workstation and computer security through physical safeguards
Control of information access and processing through reliable technical safeguards — passwords, designated access levels, etc.
Raleigh Orthopaedic, a for-profit medical organization, transferred a business function to a third party, but could not transfer liability. A business associate agreement would have informed their vendor that the vendor was required by law to abide by the same standards as any health organization.
Need some help with HIPAA compliance?
If you handle, transmit or process electronic personal health information, you need to stay ahead of the HIPAA power curve. CSP, Inc is the trusted choice when it comes to staying ahead of the latest information technology tips, tricks, and HIPAA compliance news. Contact us at (919) 424-2000 or send us an email at email@example.com for more information.
Always at your service to provide the highest level of quality support to our customers.
Anthony Firth Client Engineer
“I’m passionate about building and fostering relationships, and finding solutions for success.”
Michael Koenig Client Account Manager
“I help clients stabilize and grow their IT infrastructure so they can focus on growing their core business.”
Josh Wilshire Systems Engineer Team Lead
“I strive to provide the highest level of quality service to our customers.”
Tommy Williams Sr. Hardware Engineer
“I’m driven by the steadfast belief that technology must serve as a business enabler. This mantra has driven 21
Years of successful partnerships.”
Stephen Riddick VP Sales & Marketing
“CSP doesn’t succeed unless your company succeeds.”
Stephen Allen Inventory Manager
“Through my intuition and genuine concern to help others I have built long-lasting relationships with our customers, co-workers and business partners.”
Scott Forbes VP Support Services
“Every day, I work with clients to help plan the future of their businesses.”
Michael Bowman vCIO
“Your IT problems become our IT solutions.”
Mark McLemore Project Engineer
“Managing internal and external operations to ensure that CSP provides quality and reliable customer service .”
Margie Figueroa Business Manager
“Providing quality internal and externals financial support to our customers and accounting support to CSP.”
Katie Steiglitz Accounting Administrator
“Some call me the CEO. I call myself the Cheerleader for an awesome team!”
William B. Riddick Founder & CEO
“CSP is here to assist you with your IT needs.”
Beth Wylie Inside Sales Manager
Thinking ofHiring A New IT Company?
On What Questions You Need To Ask Before Signing Any Agreement.