Hospital Pays $400,000 HIPAA Breach Penalty for Obsolete ‘Business Associate’ Agreement

The federal investigation stemmed from the loss of unencrypted backup tapes containing patient data, which were maintained by the hospital’s parent company.

Aldrin Brown, Editor-in-Chief

September 27, 2016

2 Min Read
Hospital Pays 400000 HIPAA Breach Penalty for Obsolete Business Associate Ag

A Rhode Island hospital agreed this month to pay $550,000 in settlements after failing to properly update business associate agreements as required under the privacy and security rules of the Health Insurance Portability and Accountability Act (HIPAA), federal authorities said.

The U.S. Department of Health and Human Services Office of Civil Rights (OCR) opened an investigation into Women & Infants Hospital of Rhode Island (WIH) after receiving a report of a data breach in November 2012.

WIH told federal authorities it had lost unencrypted backup tapes containing ultrasounds of 14,004 women, including patient names, dates of birth, dates of exams, physician names and, in some cases, Social Security numbers.

Information technology services, including information security, were handled by WIH’s parent company, Care New England Health Systems (CNE).

“WIH provided OCR with a business associate agreement with Care New England Health System effective March 15, 2005, that was not updated until Aug. 28, 2015, as a result of OCR’s investigation, and therefore, did not incorporate revisions required under the HIPAA Omnibus Final Rule,” according to a Sept. 23 OCR news release announcing the settlements.

The total amount to be paid by WIH is actually comprised of two settlements.

A $400,000 payment is intended to address the federal probe, which found that WIH disclosed protected health information (PHI) to CNE, without “obtaining satisfactory assurances as required under HIPAA,” in the form of a written business associate agreement that CNE would safeguard the PHI.

“This case illustrates the vital importance of reviewing and updating, as necessary, business associate agreements, especially in light of required revisions under the Omnibus Final Rule,” said OCR Director Jocelyn Samuels.

“The Omnibus Final Rule outlined necessary changes to established business associate agreements and new requirements which include provisions for reporting,” she continued. “A sample Business Associate Agreement can be found on OCR’s website to assist covered entities in complying with this requirement.”

Another $150,000 consent judgment is being paid to the Massachusetts Attorney General’s Office in response to the hospital’s conduct in the underlying breach, including failing to provide adequate safeguards and failing to notify affected people in a timely manner.

“While the AGO’s actions do not legally preclude OCR from imposing civil money penalties, OCR determined not to include additional potential violations in this case for the purposes of settlement, given that such potential violations had already been addressed by the AGO and based on OCR’s policy approach to concurrent cases with State AGOs,” the federal news release said.

The $400,000 settlement with OCR brings the total amount of settlements for HIPAA security violations to $20.7 million this year, up sharply from $6.2 million in all of 2015.

 

Send tips and news to [email protected].

Read more about:

MSPsMSP 501

About the Author

Aldrin Brown

Editor-in-Chief, Penton

Veteran journalist Aldrin Brown comes to Penton Technology from Empire Digital Strategies, a business-to-business consulting firm that he founded that provides e-commerce, content and social media solutions to businesses, nonprofits and other organizations seeking to create or grow their digital presence.

Previously, Brown served as the Desert Bureau Chief for City News Service in Southern California and Regional Editor for Patch, AOL's network of local news sites. At Patch, he managed a staff of journalists and more than 30 hyper-local and business news and information websites throughout California. In addition to his work in technology and business, Brown was the city editor for The Sun, a daily newspaper based in San Bernardino, CA; the college sports editor at The Tennessean, Nashville, TN; and an investigative reporter at the Orange County Register, Santa Ana, CA.

 

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like