$400,000 HIPAA Settlement for BAA Failures
The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced it has arrived at a settlement with Care New England Health System (CNE) to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). CNE is required to pay a financial penalty of $400,000 and must adopt a comprehensive Corrective Action Plan (CAP) to address various areas of HIPAA non-compliance.
Care New England Health System (CNE) provides centralized corporate support for a number of subsidiary affiliated HIPAA-covered entities throughout Massachusetts and Rhode Island.
An OCR investigation was triggered following the receipt of a breach notification from one of CNE’s subsidiary affiliated covered entities – Woman & Infants Hospital of Rhode Island (WIH) – on November 5, 2012.
WIH reported the loss of a number of unencrypted backup tapes that contained the PHI of around 14,000 patients. The exposed PHI included names, dates of birth, dates of medical examinations, names of referring physicians, and Social Security numbers.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The breach investigation revealed that PHI had been impermissibly disclosed to CNE as a result of the failure to obtain an up-to-date, HIPAA-compliant Business Associate Agreement (BAA).
CNE provides IT support and information security for WIH’s systems. Those functions require CNE to come into contact with PHI. Consequently, CNE and WIH are required by HIPAA to sign a business associate agreement (BAA) outlining the responsibilities of the BA with respect to ePHI.
WIH did obtain a signed BAA on March 15, 2005; however, the BAA was not updated until August 28, 2015, and only then as the result of the OCR investigation. The BAA should have been amended previously to include the implementation specifications required by the HIPAA Privacy and Security Rules and to incorporate the changes to HIPAA following the issuing of the HIPAA Omnibus Rule.
WIH disclosed the PHI of at least 14,004 individuals to CNE and allowed CNE to create, receive, maintain, and transmit PHI on its behalf, yet no written assurances had been obtained to confirm that CNE would apply satisfactory physical, technical, and administrative controls to ensure PHI was appropriately safeguarded. OCR determined that 45 C.F.R. § 164.308(a), 164.314(a), 164.502(a), 164.502(e), 164.504(e)(2), and 164.532(d) had been violated.
The financial settlement could have been much higher; however, the breach that triggered the OCR investigation had previously been investigated by the Massachusetts Attorney General’s Office (AGO). WIH entered into a consent judgment with AGO and agreed to pay a financial penalty of $150,000 to settle potential HIPAA violations regarding the failure to appropriately safeguard PHI stored on the backup tapes. OCR could still have imposed a further financial penalty for the HIPAA violations that contributed to the breach, although the AGO settlement was deemed to be sufficient in this case.
The financial penalty should serve as a warning to all covered entities of the need to not only obtain HIPAA-compliant business associate agreements from all vendors that require access to ePHI, but to also ensure that those agreements are regularly reviewed and updated.