Outdated BA Agreement Results in $400,000 HIPAA SettlementAffilated Hospital Was Previously Fined by State Attorney General
This story has been updated.
Federal regulators have entered a $400,000 HIPAA settlement with an organization that provides centralized corporate support services for a number of New England-area covered entities, citing the lack of an updated business associate agreement.
An affiliated hospital client of the organization was previously hit with a state fine in connection with the breach incident cited in the federal settlement.
The U.S. Department of Health and Human Services' Office for Civil Rights says its resolution agreement with Care New England Health System, Providence, R.I., which also includes a corrective action plan, stems from an investigation of a breach that was reported in 2012 by Women and Infants Hospital of Rhode Island.
That breach involved the loss of unencrypted backup tapes containing the ultrasound studies of approximately 14,000 Women and Infants Hospital patients, including name, date of birth, date of exam, physician names, and, in some instances Social Security numbers.
The resolution agreement between OCR and Care New England Health System notes that the organization "provides centralized corporate support to the covered entities under its common ownership and control, including technical support and information security for WIH's information systems as its business associate."
OCR notes in its statement that "WIH provided OCR with a business associate agreement with Care New England Health System effective March 15, 2005, that was not updated until August 28, 2015, as a result of OCR's investigation, and therefore, did not incorporate revisions required under the HIPAA Omnibus Final Rule."
Lessons to Learn
The latest OCR settlement offers important lessons for covered entities and business associates, says healthcare attorney Elizabeth Hodge of the law firm Akerman LLP.
"First, covered entities should have in place a procedure to identify all business associates with whom they do business and then to obtain business associate agreements before sharing any PHI with those organizations," she says.
"Covered entities should also have in place procedures to review existing business associate agreements when there is a change in the law to ensure that the agreement complies with any new requirements or to obtain new compliant business associate agreements."
Privacy attorney Adam Greene of the law firm David Wright Tremaine notes: "I don't think that the settlement was actually with the business associate, CNE, but rather with the covered entities, with CNE entering into the agreement on their behalf," he says. "The 'covered conduct' focuses on Women and Infants Hospital's failure to amend its business associate agreement with CNE, rather than suggesting that CNE violated HIPAA."
Covered Entity Settlement
OCR notes that Women and Infants Hospital was also reprimanded in 2014 for the same breach by the Massachusetts' attorney general office. Under the terms of a consent judgment with the state's attorney general it paid a $150,000 penalty.
Although state attorneys general actions do not preclude OCR from imposing civil monetary penalties, OCR said it decided not to pursue action against the hospital, "given that such potential violations had already been addressed by the AGO [attorney's general office] and based on OCR's policy approach to concurrent cases with state AGOs."
OCR says the state's consent judgment sufficiently covered key issues in the breach incident, "including the failure to implement appropriate safeguards related to the handling of the PHI contained on the backup tapes and the failure to provide timely notification to the affected individuals."
Another Dual-Action Case
This isn't the first example of two organizations being penalized by federal and state regulators for the same incident.
In 2012, the Minnesota attorney general entered into a settlement agreement with Accretive Health under which the business associate agreed to pay $2.5 million and not operate in Minnesota for at least two years after an investigation into a breach involving the theft of an unencrypted laptop from an Accretive worker's locked car.
The laptop contained the electronic protected health information of 23,000 patients of two covered entities, North Memorial Healthcare and Fairview Health System.
In March 2016, North Memorial entered a resolution agreement with OCR related to the incident. During its investigation, OCR learned that North Memorial did not have a business associate agreement in place with Accretive.
In addition, Accretive also agreed to a settlement in 2014 with the Federal Trade Commission related to the same incident. While the FTC settlement did not include a monetary penalty, Accretive agreed to a number of corrective actions designed to establish a comprehensive security program to protect consumers' personal information.
The Care New England Health System case is a good reminder that, thanks to the HITECH Act, state attorneys general as well as federal authorities can take action to enforce HIPAA, says Hodge, the attorney.
"When bringing a HIPAA enforcement action, the state attorneys general may also include violations of applicable state confidentiality and data breach, as the Massachusetts attorney general did in the case against Women & Infants Hospital," she notes.
"The Care New England breach also illustrates that state attorneys general are willing to bring an enforcement action even if the covered entity or business associate is not based in their state so long as state residents are among those affected by the breach," she adds. "This means that covered entities and business associates can be subject to enforcement activity in multiple states, not just the state where they are headquartered."
Corrective Action Plan
Under its OCR settlement, Care New England Health System has agreed to implement a corrective action plan that requires it to:
- Review and revise its written HIPAA privacy and security rule policies and procedures. That includes designating one of more individuals responsible for ensuring that covered entities enter into business associate agreements before the provider organization discloses PHI to the business;
- Implement and distribute those policies and procedures to its workforce;
- Provide its workforce with HIPAA-related training.
Ramped Up Enforcement
The settlement with Care New England Health System is OCR's eleventh HIPAA enforcement action so far this year.
"Given the pace at which OCR has been entering into resolution agreements so this year, I would expect to see more settlements before the end of the year, Hodge says. "OCR has also provided more guidance to covered entities and business associates this year, and I would expect that trend to continue through the end of the year, too."
Privacy attorney David Holtzman, vice president of security consultancy CynergisTek, expects OCR to continue its ramped-up HIPAA enforcement activities next year - regardless of the outcome of the presidential election.
"OCR's enforcement process should not be directly affected by the pending election or change in administration," he says. "The investigation and recommendations for enforcement are carried out by career civil servants. While the pending change in administration will likely result in a vacancy of the director for the Office for Civil Rights beginning sometime after the election until a successor is named, a career senior civil servant takes on the appointment in an acting role, with the full authority of the office to negotiate resolution agreements that would result in the payment of a penalty and put into place a corrective action plan to settle a HIPAA complaint instigation or compliance review."