OCR Reaches $400,000 HIPAA Settlement for Failure to Update Business Associate Agreement

The Office for Civil Rights (OCR) recently settled with Care New England Health System (CNE) to address alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). CNE owns a number of hospitals and health care providers, including Women & Infants Hospital of Rhode Island (WIH). The settlement, which includes a $400,000 resolution amount and a corrective action plan, stemmed from OCR’s investigation of a breach involving WIH in 2012. WIH self-reported the breach to OCR following the loss of unencrypted back-up tapes containing the protected health information (PHI) of 14,004 individuals. While investigating the breach, OCR discovered that WIH was sharing PHI with CNE pursuant to a business associate agreement that went into effect in 2005 and was not updated to reflect the requirements of the 2013 HIPAA Omnibus Rule. OCR highlighted the lack of an updated business associate agreement in the corrective action plan, as it requires CNE to develop and implement policies and procedures to ensure that HIPAA-compliant business associate agreements are in place prior to any CNE entities sharing PHI with business associates.

TIP: This case underscores OCR’s willingness to pursue enforcement cases where a covered entity fails to enter into a HIPAA-compliant business associate agreement prior to disclosing PHI to third parties. Companies subject to HIPAA should keep this in mind as they evaluate their business associate agreements.