Outdated Business Associate Agreements Lurking in Your Office? Recent $400,000 HIPAA Settlement Provides More Reasons to Get Up-to-Date Now

By , Published On: October 23, 2016

Late last month the United States Department of Health and Human Services, Office for Civil Rights (OCR) announced a $400,000 HIPAA settlement for a breach of protected health information (PHI) of more than 12,000 patients by a business associate.

Care New England Health System (CNE), the parent company of Women & Infants Hospital of Rhode Island (WIH), is a business associate of WIH because it provides technical support and information security. CNE and WIH signed a business associate agreement in 2005; however, the business associate agreement was not updated in 2014 as required by the HIPAA Omnibus Final Rule.

In April 2012, WIH realized that it was missing 19 unencrypted back-up tapes containing the PHI of 12,127 patients.  In the summer of 2011, the back-up tapes were to be sent to CNE’s central data center for storage before being shipped to another site to be archived.  Due to an insufficient tracking and inventory system, WIH did not discover that the tapes were missing until the spring of 2012.  WIH did not report the breach until November 2012, well past 60 day reporting requirement under the HIPAA Breach Notification Rule.

CNE agreed to a $400,000 monetary payment and to a two-year corrective action plan to settle potential violations of the HIPAA Privacy and Security Rules.  WIH paid a settlement of $150,000 to the Massachusetts’ Attorney General’s Office and OCR did not pursue additional civil monetary penalties from WIH.

Key takeaways:

  • Business associate agreements must be reviewed and updated for compliance with the HIPAA Omnibus Final Rule.
  • Covered entities must develop tracking and inventory systems that protect their patients’ PHI.
  • Covered entities must report breaches affecting more than 500 individuals to OCR within 60 days of the date of discovery.

This settlement, along with the Phase 2 HIPAA audits currently underway, demonstrate that OCR is holding covered entities responsible for appropriately identifying their business associates and assuring that patients’ PHI is protected through up-to-date business associate agreements.  To learn more about OCR’s enforcement efforts and how to protect your health center, join us on November 10, 2016 for our webinar, “Behind the HIPAA Headlines”.

For additional information regarding HIPAA and your health center’s responsibilities, please contact an attorney at Feldesman Tucker Leifer Fidell LLP at (202) 466-8960.