Newest OCR settlement highlights need to review and update Business Associate Agreements
A newly announced settlement between HHS OCR and Care New England reinforces what DataBreaches.net and Protenus, Inc. have been trying to remind everyone of this week: pay more attention to your business associate agreements and do so regularly.
Care New England Health System (CNE), on behalf of each of the covered entities under its common ownership or control, has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. The settlement includes a monetary payment of $400,000 and a comprehensive corrective action plan. CNE provides centralized corporate support for its subsidiary affiliated covered entities, which include a number of hospitals and health care providers in Massachusetts and Rhode Island. These functions include, but are not limited to, finance, human resources, information services and technical support, insurance, compliance and administrative functions.
On November 5, 2012, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) received notification from Woman & Infants Hospital of Rhode Island (WIH), a covered entity member of CNE, of the loss of unencrypted backup tapes containing the ultrasound studies of approximately 14,000 individuals, including patient name, data of birth, date of exam, physician names, and, in some instances Social Security Numbers. As WIH’s business associate, CNE provides centralized corporate support including technical support and information security for WIH’s information systems. WIH provided OCR with a business associate agreement with Care New England Health System effective March 15, 2005, that was not updated until August 28, 2015, as a result of OCR’s investigation, and therefore, did not incorporate revisions required under the HIPAA Omnibus Final Rule.
OCR’s investigation found the following:
- From September 23, 2014 until August 28, 2015, WIH disclosed protected health information (PHI) and allowed its business associate, CNE, to create, receive, maintain, or transmit PHI on its behalf, without obtaining satisfactory assurances as required under HIPAA. WIH failed to renew or modify its existing written business associate agreement with CNE to include the applicable implementation specifications required by the HIPAA Privacy and Security Rules.
- From September 23, 2014, until August 28, 2015, WIH impermissibly disclosed the PHI of at least 14,004 individuals to its business associate when WIH provided CNE with access to PHI without obtaining satisfactory assurances, in the form of a written business associate agreement, that CNE would appropriately safeguard the PHI.
“This case illustrates the vital importance of reviewing and updating, as necessary, business associate agreements, especially in light of required revisions under the Omnibus Final Rule, said OCR Director Jocelyn Samuels. “The Omnibus Final Rule outlined necessary changes to established business associate agreements and new requirements which include provisions for reporting. A sample Business Associate Agreement can be found on OCR’s website to assist covered entities in complying with this requirement.”
With respect to the underlying breach, on July 17, 2014, WIH entered into a consent judgment with the Massachusetts Attorney General’s Office (AGO), and reached a settlement of $150,000. OCR found the consent judgment to sufficiently cover most of the conduct in this breach, including the failure to implement appropriate safeguards related to the handling of the PHI contained on the backup tapes and the failure to provide timely notification to the affected individuals. While the AGO’s actions do not legally preclude OCR from imposing civil money penalties, OCR determined not to include additional potential violations in this case for the purposes of settlement, given that such potential violations had already been addressed by the AGO and based on OCR’s policy approach to concurrent cases with State AGOs.
The Resolution Agreement and Corrective Action Plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/wih. OCR’s sample Business Associate Agreement may be found at http://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html.