HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

$400,000 HIPAA Settlement for BAA Failures

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced it has arrived at a settlement with Care New England Health System (CNE) to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). CNE is required to pay a financial penalty of $400,000 and must adopt a comprehensive Corrective Action Plan (CAP) to address various areas of HIPAA non-compliance.

Care New England Health System (CNE) provides centralized corporate support for a number of subsidiary affiliated HIPAA-covered entities throughout Massachusetts and Rhode Island.

An OCR investigation was triggered following the receipt of a breach notification from one of CNE’s subsidiary affiliated covered entities – Woman & Infants Hospital of Rhode Island (WIH) – on November 5, 2012.

WIH reported the loss of a number of unencrypted backup tapes that contained the PHI of around 14,000 patients. The exposed PHI included names, dates of birth, dates of medical examinations, names of referring physicians, and Social Security numbers.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

The breach investigation revealed that PHI had been impermissibly disclosed to CNE as a result of the failure to obtain an up to date, HIPAA-compliant Business Associate Agreement (BAA).

CNE provides IT support and information security for WIH’s systems. Those functions require CNE to come into contact with PHI. Consequently, CNE and WIH are required by HIPAA to sign a business associate agreement (BAA) outlining the responsibilities of the BA with respect to ePHI.

WIH did obtain a signed BAA on March 15, 2005; however, the BAA was not updated until August 28, 2015, and only then as the result of the OCR investigation. The BAA should have been amended previously to include the implementation specifications required by the HIPAA Privacy and Security Rules and to incorporate the changes to HIPAA following the issuing of the HIPAA Omnibus Rule.

WIH disclosed the PHI of at least 14,004 individuals to CNE and allowed CNE to create, receive, maintain, and transmit PHI on its behalf, yet no written assurances had been obtained to confirm that CNE would apply satisfactory physical, technical, and administrative controls to ensure PHI was appropriately safeguarded. OCR determined that 45 C.F.R. § 164.308(a), 164.314(a), 164.502(a), 164.502(e), 164.504(e)(2), and 164.532(d) had been violated.

The financial settlement could have been much higher; however, the breach that triggered the OCR investigation had previously been investigated by the Massachusetts Attorney General’s Office (AGO). WIH entered into a consent judgement with AGO and agreed to pay a financial penalty of $150,000 to settle potential HIPAA violations regarding the failure to appropriately safeguard PHI stored on the backup tapes. OCR could still have imposed a further financial penalty for the HIPAA violations that contributed to the breach, although the AGO settlement was deemed to be sufficient in this case.

The financial penalty should serve as a warning to all covered entities of the need to not only obtain HIPAA-compliant business associate agreements from all vendors that require access to ePHI, but to also ensure that those agreements are regularly reviewed and updated.

The resolution agreement can be viewed on this link.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.