$400K HIPAA Payment for BAA Failures

The Section of Human and Health Services’ OCR has stated it has concluded an agreement with Care New England Health System (CNE) to settle suspected breaches of the HIPAA. CNE should reimburse a financial fine of $400K and should implement a complete Corrective Action Plan (CAP) to tackle different parts of HIPAA defiance.

Care New England Wellbeing Organization (CNE) offers central company help for several subordinate allied HIPAA-covered bodies all over Rhode Island and Massachusetts.

On November 5, 2012, an OCR inquiry was started after the receipt of a break notice from among CNE’s subordinate allied covered bodies – Woman & Infants Hospital of Rhode Island (WIH).

WIH informed the disappearance of several unencrypted duplicate tapes which had the PHI of about 14K patients. The revealed PHI contained names, dates of medical examinations, dates of birth, names of referring doctors, as well as Social Security numbers.

The break inquiry disclosed that PHI had been disclosed to CNE without permission as a consequence of the failure to get an updated, HIPAA-conforming Business Associate Agreement (BAA).

CNE offers information security and IT support for WIH’s systems. Those tasks need CNE to get in touch with PHI. Therefore, WIH and CNE are needed by HIPAA to initial a business associate agreement (BAA) summarizing the duties of the business associate regarding ePHI.

WIH obtained an initialed BAA on March 15, 2005; nevertheless, the BAA was revised after August 28, 2015, and only after that as the consequence of the OCR inquiry. The BAA must have been modified earlier to contain the application specifications needed by the HIPAA Confidentiality and Safety Laws and to include the modifications to HIPAA after the releasing of the HIPAA Omnibus Law.

WIH revealed the PHI of no less than 14,004 people to CNE and let CNE generate, get, keep, and pass on PHI on its behalf, however, no written guarantees had been received to verify that CNE would implement acceptable natural, practical, and managerial controls to make sure PHI was properly protected. OCR concluded that 45 C.F.R. § 164.308(a), 164.314(a), 164.502(a), 164.502(e), 164.504(e)(2), as well as 164.532(d) had been breached.

The fiscal agreement might have been considerably higher; nevertheless, the break that activated the OCR inquiry had earlier been probed by the Massachusetts Attorney General’s Office (AGO). Woman & Infants Hospital entered into a consent decision with Attorney General’s Office and approved to pay a fiscal fine of $150,000 to resolve possible HIPAA breaches concerning the failure to correctly protect PHI saved on the duplicate tapes. OCR might still have imposed an additional fiscal fine for the HIPAA abuses which played a role in the break, even though the Attorney General’s Office agreement was considered to be enough in this event.

The financial fine must serve as a notice to all protected bodies of the requirement to not just get HIPAA-conforming BAAs from all sellers who need access to ePHI, however, to also make sure that those contracts are frequently studied and updated.

The solution agreement can be seen on this link.

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Mark Wilson

Mark Wilson is a news reporter specializing in information technology cyber security. Mark has contributed to leading publications and spoken at international forums with a focus on cybersecurity threats and the importance of data privacy. Mark is a computer science graduate.