Outdated Business Associate Agreement Leads to Another Six-Figure HIPAA Settlement

Saul Ewing LLP
Contact

Saul Ewing LLP

Summary

On September 23, 2016, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that Care New England Health System (CNEHS) agreed to pay $400,000 and enter into a corrective action plan with the OCR to resolve alleged HIPAA violations.  This is the 11th publically-announced OCR settlement in 2016.  Fines from these 2016 OCR settlements exceed $20.7 million.

CNEHS provides centralized office support, including technical support and information security, in its role as a HIPAA business associate for the covered entities with which it shares common ownership or control, including Women & Infants Hospital of Rhode Island (WIH).  In 2012, WIH notified OCR about a breach involving lost unencrypted backup tapes containing the electronic protected health information (ePHI) of approximately 14,000 individuals.  The OCR learned during its investigation of the breach that WIH and CNEHS had executed a business associate agreement (BAA) in 2005, but had not thereafter updated the BAA.  Therefore, the BAA did not include all the new requirements for BAAs that were mandated by the HIPAA Omnibus Final Rule that went into effect in 2013.

In addition to the $400,000 payment to OCR, WIH previously entered into a $150,000 settlement arising out of the same 2012 breach with the Massachusetts Attorney General’s Office to resolve allegations that WIH failed to protect the ePHI.

The corrective action plan that CNEHS  entered into as part of the OCR settlement requires CNEHS to do each of the following:

  • Review and revise, as needed, its written policies and procedures with respect to the HIPAA privacy and security rules;
  • Ensure that the revised policies address specific HIPAA privacy and security provisions for BAAs and proper security incident reporting procedures;
  • Once the policies are approved by HHS, distribute the policies and provide training to all members of its workforce; and
  • Assess, update and revise, as necessary, the policies at least annually.

The OCR press release announcing the CNEHS settlement and the corrective action plan are available here.

Important Takeaways and Next Steps

The CNEHS settlement with OCR reiterates the importance of covered entities and business associates protecting the security of ePHI and ensuring that each BAA has all the required provisions, including those added by the HIPAA Omnibus Final Rule.  The CNEHS settlement is the second settlement this year related to the failure to comply with regulations concerning BAAs.

Covered entities and business associates should review recent OCR settlements to understand the factual scenarios that led to the settlements, and to take appropriate action to prevent the same circumstances from occurring.  

 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Saul Ewing LLP

Written by:

Saul Ewing LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Saul Ewing LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide