- Care New England Health System (CNE) agreed to an OCR HIPAA settlement after it was found to have not had a current business associate agreement in place to keep PHI secure.
Woman & Infants Hospital of Rhode Island (WIH) was a CNE covered entity, and had lost unencrypted backup tapes that held the ultrasound studies of approximately 14,000 individuals, according to OCR. While there was a business associate agreement (BAA) in place, OCR found that it was not updated until August 28, 2015 and “did not incorporate revisions required under the HIPAA Omnibus Final Rule.”
“This case illustrates the vital importance of reviewing and updating, as necessary, business associate agreements, especially in light of required revisions under the Omnibus Final Rule,” OCR Director Jocelyn Samuels said in a statement. “The Omnibus Final Rule outlined necessary changes to established business associate agreements and new requirements which include provisions for reporting. A sample Business Associate Agreement can be found on OCR’s website to assist covered entities in complying with this requirement.”
The healthcare data breach in question happened from September 23, 2014 to August 28, 2015, and included patient names, dates of birth, dates of exams, physician names, and Social Security Numbers in some cases. Also in that time frame, CNE was allowed “to create, receive, maintain, or transmit PHI on its behalf, without obtaining satisfactory assurances as required under HIPAA.”
“From September 23, 2014, until August 28, 2015, WIH impermissibly disclosed the PHI of at least 14,004 individuals to its business associate when WIH provided CNE with access to PHI without obtaining satisfactory assurances, in the form of a written business associate agreement, that CNE would appropriately safeguard the PHI,” OCR explained.
WIH also agreed to a consent judgment with the Massachusetts Attorney General’s Office (AGO), which included a settlement of $150,000. OCR explained that the consent judgement adequetely covered “most of the conduct in this breach, including the failure to implement appropriate safeguards related to the handling of the PHI contained on the backup tapes and the failure to provide timely notification to the affected individuals.”
Per the OCR corrective action plan, CNE must also review and revise as necessary its written policies and procedures for maintaining ePHI security.
“All members of CNE’s workforce shall receive training on the policies and procedures to comply with the Privacy & Security Rules within ninety (90) days of the implementation of the policies and procedures, or within ninety (90) days of when they become a member of CNE’s workforce,” the corrective action plan reads. “CNE shall review the training annually, and, where appropriate, update the training to reflect changes in Federal law or HHS guidance, any issues discovered during internal or external audits or reviews, and any other relevant developments.”
OCR has previously shown that BAAs are essential to keeping PHI secure, and that healthcare data breaches can lead to OCR HIPAA settlements for either a covered entity or a business associate.
For example, Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) agreed to pay $650,000 earlier this year as part of a OCR settlement. CHCS provided management and information technology services as a BA to six skilled nursing facilities.
OCR had received separate notifications in February 2014 from all six of CHCS’ nursing homes that a mobile device had been stolen, potentially compromising 412 individuals’ information.
The investigation also revealed that CHCS had not conducted “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality integrity, and availability of e-PHI held by CHCS” from the compliance date of the HIPAA Security Rule to the present.