September 28, 2016
On Sept. 23, 2016, which is three years to the day of the HIPAA Omnibus enforcement going into effect, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced its second HIPAA enforcement action against a business associate (BA) to the tune of $400,000.
The vendor, Care New England Health Systems, agreed to the settlement after an investigation of a breach that was reported in 2012 by Women and Infants Hospital of Rhode Island. Additionally, the hospital had previously entered into a consent judgment with the Massachusetts’ Attorney General’s Office, and reached a settlement of $150,000 for its part in the breach.
In short, the hospital had not updated its BA agreement since 2005 and therefore did not incorporate revisions required under the HIPAA Omnibus Final Rule. In 2012, the BA lost unencrypted backup tapes containing the ultrasound studies of approximately 14,000 individuals, including patient name, data of birth, date of exam, physician names, and, in some instances Social Security Numbers.
“This case illustrates the vital importance of reviewing and updating, as necessary, business associate agreements, especially in light of required revisions under the Omnibus Final Rule, said OCR Director Jocelyn Samuels. “The Omnibus Final Rule outlined necessary changes to established business associate agreements and new requirements which include provisions for reporting.”
The latest case isn’t the first case of a covered entity and a business associate being penalized by federal and state regulators for the same incident. In 2012, Accretive Health agreed to pay $2.5 million in a settlement with the Minnesota attorney general because of a breach involving the theft of an unencrypted laptop from an Accretive worker’s locked car. That laptop contained the electronic protected health information of North Memorial Healthcare patients. In March 2016, North Memorial entered a resolution agreement with OCR after it was discovered there was no business associate agreement in place with Accretive.
And that brings us right back to the title of this post: Latest HIPAA settlement shows importance of up-to-date BA agreements. How can you be sure yours are? Join us on Wednesday, October 12, from noon to 1 pm (MDT), when PrivaPlan presents a live webcast, “Business Associates + HIPAA Risk Management.” Click here to register.
At PrivaPlan, our HIPAA experts can help ensure that your BA agreements are current and meet the new requirements which include provisions for reporting.
Contact us at firstname.lastname@example.org or call 877-218-7707.