Beware of silver-harvesting scams that could put your HIPAA compliance at risk.
If you share your patients’ protected health information (PHI) with a business associate (BA) without first executing a signed BA agreement (BAA), that’s a mistake that could cost you big.
Watch Out for Silver-Harvesting Scam
Background: On April 20, the HHS Office for Civil Rights (OCR) announced a $750,000 settlement agreement with Raleigh Orthopaedic Clinic, P.A. for potential HIPAA Privacy Rule violations. OCR alleged that Raleigh Orthopaedic furnished the PHI of approximately 17,300 patients to a potential contractor without first executing a BAA.
As in several other recent HIPAA settlements, OCR launched its investigation into Raleigh Orthopaedic following a breach incident report. The covered entity (CE) reported the breach on April 30, 2013. OCR’s investigation revealed that Raleigh Orthopaedic released its patients’ x-ray films and related PHI to a potential business partner that promised to transfer the images to electronic media in exchange for harvesting the silver from the x-ray films.
Raleigh Orthopaedic didn’t execute a BAA with the company before turning over the x-rays and related PHI. When the company failed to send the electronic media to Raleigh Orthopaedic, the clinic discovered that the company had sold the x-ray films to a recycling company that harvested the silver.
In addition to the $750,000 penalty, Raleigh Orthopaedic entered into a Resolution Agreement and a Corrective Action Plan (CAP) with OCR. Under the agreement and CAP, the clinic must revise its policies and procedures to:
If you want to avoid the same fate, take the following steps:
1. Perform Due Diligence on Your Vendors
So-called “silver-harvesting” scams like the one in the Raleigh Orthopaedic case aren’t exactly new. “Several years ago when silver prices were relatively high, there were a number of incidents involving the theft of x-ray films from healthcare providers by thieves who harvested and sold the silver recovered from the x-ray films,” attorneys Elizabeth Hodge and Carolyn Metnick of Akerman LLP tell Health Information Compliance Alert.
“In some cases, like the Raleigh Orthopaedic case, the vendor claimed it would digitize the films, harvest the silver, and then appropriately destroy the films and related documents,” Hodge and Metnick note. “But in reality, the vendor just harvested the silver from the films, leaving the provider without digital records of the films and no idea where the films were.”
In other cases, scammers posed as film disposal vendors, according to Hodge and Metnick. “The thief then harvested the silver and the healthcare provider had no idea what happened to the x-ray films or, perhaps more importantly, any related paper files such as the paper jacket and associated medical records.”
Laurie Cohen, an Albany-based partner attorney with Nixon Peabody LLP, has also heard about this type of scam and says “it is a warning that providers are a target and vulnerable. That’s why you should perform some due diligence on any company or vendor with whom you’re considering doing business.
Protect yourself: “This should include checking Better Business Bureau websites as well as requesting a list of references and speaking with such references,” Cohen advises. And if you will be releasing or providing access to your patients’ PHI, your due diligence should also include “querying the company about its HIPAA privacy and security policies and procedures.”
Specifically, to verify a vendor’s HIPAA compliance, Hodge and Metnick advise that you ask the vendor the following basic questions:
2. Focus on Your Risk Assessment
Another important step to take in avoiding the same fate as Raleigh Orthopaedic is to conduct a thorough risk assessment. In your risk assessment/analysis, Cohen advises you ask yourself:
3. Educate Your Workforce
Your employees need to understand the internal process to assess the purpose for the release or disclosure of PHI, whether it requires a patient authorization or may be released to a third party who is acting as a BA, Cohen states. Make sure your employees understand what or who is a BA. Instruct all employees that, prior to releasing PHI to a BA, they must confirm that there is a signed BAA in place.
Also train your workforce members on incident reporting, Hodge and Metnick advise. And involve staff in conducting security audits and assessments.
4. Provide Access to Only the Minimum Necessary
To the extent that you provide a BA with access to PHI, you need to assess how much PHI the BA needs to perform its activity, Cohen says. You should always limit the access to the minimum necessary.
Example: “If a vendor is shipping medical supplies to a patient’s home on behalf of a home care agency that will be using such supplies as part of its services, the vendor will likely need no more than a supply list and the patient name and address for shipping,” Cohen illustrates. “The vendor will not likely need the patient diagnosis or other health information to fulfill the order.”
5. Get a Firm Grip on Your BAAs
Cohen stresses that you should develop a template BAA. You should also designate one or more individuals who will have the authority to negotiate and execute BAAs. These individuals should be responsible for maintaining:
Important: Keep in mind that if OCR selects you for a HIPAA audit, one of the first things you’ll need to produce is a list of all your BAs and the corresponding BAAs.
You should also create a process for assessing current and future business relationships to determine whether they constitute BA arrangements, Hodge and Metnick advise. And in your BAAs and/or service agreements, you should consider defining:
Resources: To read the Resolution Agreement and CAP, go to www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/raleigh-orthopaedic-clinic/index.html. Model BAA language from HHS is available at www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html.