[BreachExchange] Hospital Pays $400,000 HIPAA Breach Penalty for Obsolete ‘Business Associate’ Agreement

[Audrey McNeil]

http://mspmentor.net/msp-mentor/hospital-pays-400000-
hipaa-breach-penalty-obsolete-business-associate-agreement

A Rhode Island hospital agreed this month to pay $550,000 in settlements
after failing to properly update business associate agreements as required
under the privacy and security rules of the Health Insurance Portability
and Accountability Act (HIPAA), federal authorities said.

The U.S. Department of Health and Human Services Office of Civil Rights
(OCR) opened an investigation into Women & Infants Hospital of Rhode Island
(WIH) after receiving a report of a data breach in November 2012.

WIH told federal authorities it had lost unencrypted backup tapes
containing ultrasounds of 14,004 women, including patient names, dates of
birth, dates of exams, physician names and, in some cases, Social Security
numbers.

Information technology services, including information security, were
handled by WIH’s parent company, Care New England Health Systems (CNE).

“WIH provided OCR with a business associate agreement with Care New England
Health System effective March 15, 2005, that was not updated until Aug. 28,
2015, as a result of OCR’s investigation, and therefore, did not
incorporate revisions required under the HIPAA Omnibus Final Rule,”
according to a Sept. 23 OCR news release announcing the settlements.

The total amount to be paid by WIH is actually comprised of two settlements.

A $400,000 payment is intended to address the federal probe, which found
that WIH disclosed protected health information (PHI) to CNE, without
“obtaining satisfactory assurances as required under HIPAA,” in the form of
a written business associate agreement that CNE would safeguard the PHI.

“This case illustrates the vital importance of reviewing and updating, as
necessary, business associate agreements, especially in light of required
revisions under the Omnibus Final Rule," said OCR Director Jocelyn Samuels.

“The Omnibus Final Rule outlined necessary changes to established business
associate agreements and new requirements which include provisions for
reporting,” she continued. “A sample Business Associate Agreement can be
found on OCR’s website to assist covered entities in complying with this
requirement.”

Another $150,000 consent judgment is being paid to the Massachusetts
Attorney General’s Office in response to the hospital’s conduct in the
underlying breach, including failing to provide adequate safeguards and
failing to notify affected people in a timely manner.

“While the AGO’s actions do not legally preclude OCR from imposing civil
money penalties, OCR determined not to include additional potential
violations in this case for the purposes of settlement, given that such
potential violations had already been addressed by the AGO and based on
OCR’s policy approach to concurrent cases with State AGOs,” the federal
news release said.

The $400,000 settlement with OCR brings the total amount of settlements for
HIPAA security violations to $20.7 million this year, up sharply from $6.2
million in all of 2015.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160927/b139b892/attachment.html>