HIPAA settlement highlights issue of outdated business associate agreements
- Care New England Health System (CNE) will be paying $400,000 and implementing a corrective action plan to address potential HIPPA violations, on behalf of the subsidiary affiliated covered entities under its ownership or control, HHS announced Friday.
- The issue stems from the loss of unencrypted data from one of CNE's covered entities, Woman & Infants Hospital of Rhode Island (WIH). The pair had been using a business associate agreement that dated from 2005 and did not include the revisions required under the HIPAA Omnibus Final Rule.
- CNE provides corporate support for numerous hospitals and healthcare providers in Massachusetts and Rhode Island, including in finance, human resources, information services, technical support, insurance, compliance, and administrative functions, HHS said.
The case highlights the need for entities to review and revise their business associate agreements to ensure they are in compliance with the requirements of the Omnibus Final Rule, said Jocelyn Samuels, director of HHS' Office for Civil Rights (OCR).
This particular violation was revealed when WIH notified the OCR in 2012 that it had lost unencrypted backup tapes that included ultrasound studies from about 14,000 patients along with names, birth dates, exam dates, physician names, and Social Security Numbers.
In their agreement, CNE provided WIH services including technical support and information security. The agreement wasn't updated from 2005 until 2015 as a result of OCR's investigation.
The deadline for updating HIPPA business associate agreements was September 2014.
The OCR's investigation concluded that from Sept. 23, 2014 until Aug. 28, 2015, WIH had disclosed protected health information (PHI) to CNE without obtaining "satisfactory assurances" that it would safeguard the data as required under HIPAA.
WIH already agreed to a $150,000 settlement with the Massachusetts Attorney General’s Office in 2014, and the OCR determined the violations have been addressed.
The pair are not the only ones to face scrutiny over the matter of business associate agreements. Oregon Health & Science University (OHSU) notably agreed to settle potential HIPAA violations recently for $2.7 million over issues that included a lack of a business associate agreement before allowing a vendor to store PHI.