Outdated Business Associate Agreement Leads to Another Six-Figure HIPAA Settlement

Outdated Business Associate Agreement Leads to Another Six-Figure HIPAA Settlement


On September 23, 2016, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that Care New England Health System (CNEHS) agreed to pay $400,000 and enter into a corrective action plan with the OCR to resolve alleged HIPAA violations.  This is the 11th publically-announced OCR settlement in 2016.  Fines from these 2016 OCR settlements exceed $20.7 million.

CNEHS provides centralized office support, including technical support and information security, in its role as a HIPAA business associate for the covered entities with which it shares common ownership or control, including Women & Infants Hospital of Rhode Island (WIH).  In 2012, WIH notified OCR about a breach involving lost unencrypted backup tapes containing the electronic protected health information (ePHI) of approximately 14,000 individuals.  The OCR learned during its investigation of the breach that WIH and CNEHS had executed a business associate agreement (BAA) in 2005, but had not thereafter updated the BAA.  Therefore, the BAA did not include all the new requirements for BAAs that were mandated by the HIPAA Omnibus Final Rule that went into effect in 2013.

In addition to the $400,000 payment to OCR, WIH previously entered into a $150,000 settlement arising out of the same 2012 breach with the Massachusetts Attorney General’s Office to resolve allegations that WIH failed to protect the ePHI.

The corrective action plan that CNEHS  entered into as part of the OCR settlement requires CNEHS to do each of the following:

  • Review and revise, as needed, its written policies and procedures with respect to the HIPAA privacy and security rules;
  • Ensure that the revised policies address specific HIPAA privacy and security provisions for BAAs and proper security incident reporting procedures;
  • Once the policies are approved by HHS, distribute the policies and provide training to all members of its workforce; and
  • Assess, update and revise, as necessary, the policies at least annually.

The OCR press release announcing the CNEHS settlement and the corrective action plan are available here.

Important Takeaways and Next Steps

The CNEHS settlement with OCR reiterates the importance of covered entities and business associates protecting the security of ePHI and ensuring that each BAA has all the required provisions, including those added by the HIPAA Omnibus Final Rule.  The CNEHS settlement is the second settlement this year related to the failure to comply with regulations concerning BAAs.

Covered entities and business associates should review recent OCR settlements to understand the factual scenarios that led to the settlements, and to take appropriate action to prevent the same circumstances from occurring.   

Saul Ewing attorneys regularly counsel and assist covered entities and business associates on HIPAA compliance, including drafting and reviewing business associate agreements, HIPAA policies and procedures and providing workforce training programs.  For more information on these matters, please contact the authors or the attorney at the Firm with whom you are regularly in contact.

View Document(s):