Benefits and Compensation

Health System’s $400K HIPAA Settlement Shows Need to Update Business Associate Agreements

A Rhode Island health system’s $400,000 settlement of a federal Health Insurance Portability and Accountability Act (HIPAA)enforcement action illustrates the importance of keeping business associate agreements (BAAs) up to date when circumstances or regulations change.

Care New England Health System (CNE), on behalf of its subsidiary hospitals and other providers, reached this settlement with the U.S. Department of Health and Human Services (HHS) after the agency, investigating a 2012 breach report, found the hospital had not updated its BAA with CNE since 2005. CNE is considered a business associate of its component providers because it gives them centralized support with finance, human resources, and other functions.

The breach at Women & Infants Hospital of Rhode Island (WIH) involved the loss of unencrypted backup tapes containing the ultrasound studies of approximately 14,000 individuals, including patient and physician names, birth and exam dates, and in some cases Social Security Numbers. In 2014, WIH paid $150,000 to settle state allegations of HIPAA security and breach notification violations.

HHS, on other hand, focused on the business associate relationship. WIH did not update its 2005 BAA with CNE until August 2015, as a result of the agency’s investigation, and thus had not amended it to reflect the HIPAA omnibus rules as was required by September 2014, HHS alleged. As a result, between September 23, 2014, and August 28, 2015, WIH allegedly violated HIPAA both by disclosing 14,000 individuals’ protected health information (PHI) to CNE and by allowing CNE to use the PHI on its behalf without “satisfactory assurances” in the form of a compliant BAA.

“This case illustrates the vital importance of reviewing and updating, as necessary, business associate agreements, especially in light of required revisions under the Omnibus Final Rule,” Jocelyn Samuels, director of HHS’ Office for Civil Rights (OCR), said September 23 in announcing the settlement. “The Omnibus Final Rule outlined necessary changes to established business associate agreements and new requirements which include provisions for reporting.”

Regarding the breach itself, OCR found that WIH’s 2014 settlement with the Massachusetts attorney general was sufficient to cover other allegations such as the failure to implement appropriate safeguards or notify affected individuals in a timely fashion.

As usual, OCR’s “resolution agreement” with CNE includes a corrective action plan. CNE must revise its policies and procedures on BAAs, training, and security incident response, and include measures on internal investigation and sanctions for possible HIPAA violations. CNE then must train its entire workforce on these practices, and report suspected violations to OCR.

Business associate relationships have been a growing point of emphasis in OCR’s enforcement actions. This year has seen the agency’s first direct monetary settlement with a business associate, and alleged BAA deficiencies have figured in several of the recent seven-figure resolution agreements involving covered entities.