[BreachExchange] Latest OCR HIPAA Settlement Highlights BAA Importance

[Audrey McNeil]

http://healthitsecurity.com/news/latest-ocr-hipaa-settlement-highlights-baa-
importance

Care New England Health System (CNE) agreed to an OCR HIPAA settlement
after it was found to have not had a current business associate agreement
in place to keep PHI secure.

Woman & Infants Hospital of Rhode Island (WIH) was a CNE covered entity,
and had lost  unencrypted backup tapes that held the ultrasound studies of
approximately 14,000 individuals, according to OCR. While there was a
business associate agreement (BAA) in place, OCR found that it was not
updated until August 28, 2015 and “did not incorporate revisions required
under the HIPAA Omnibus Final Rule.”

“This case illustrates the vital importance of reviewing and updating, as
necessary, business associate agreements, especially in light of required
revisions under the Omnibus Final Rule,” OCR Director Jocelyn Samuels said
in a statement. “The Omnibus Final Rule outlined necessary changes to
established business associate agreements and new requirements which
include provisions for reporting.  A sample Business Associate Agreement
can be found on OCR’s website to assist covered entities in complying with
this requirement.”

The healthcare data breach in question happened from September 23, 2014 to
August 28, 2015, and included patient names, dates of birth, dates of
exams, physician names, and Social Security Numbers in some cases. Also in
that time frame, CNE was allowed “to create, receive, maintain, or transmit
PHI on its behalf, without obtaining satisfactory assurances as required
under HIPAA.”

“From September 23, 2014, until August 28, 2015, WIH impermissibly
disclosed the PHI of at least 14,004 individuals to its business associate
when WIH provided CNE with access to PHI without obtaining satisfactory
assurances, in the form of a written business associate agreement, that CNE
would appropriately safeguard the PHI,” OCR explained.

WIH also agreed to a consent judgment with the Massachusetts Attorney
General’s Office (AGO), which included a settlement of $150,000. OCR
explained that the consent judgement adequetely covered “most of the
conduct in this breach, including the failure to implement appropriate
safeguards related to the handling of the PHI contained on the backup tapes
and the failure to provide timely notification to the affected individuals.”

Per the OCR corrective action plan, CNE must also review and revise as
necessary its written policies and procedures for maintaining ePHI security.

“All members of CNE’s workforce shall receive training on the policies and
procedures to comply with the Privacy & Security Rules within ninety (90)
days of the implementation of the policies and procedures, or within ninety
(90) days of when they become a member of CNE’s workforce,” the corrective
action plan reads. “CNE shall review the training annually, and, where
appropriate, update the training to reflect changes in Federal law or HHS
guidance, any issues discovered during internal or external audits or
reviews, and any other relevant developments.”

OCR has previously shown that BAAs are essential to keeping PHI secure, and
that healthcare data breaches can lead to OCR HIPAA settlements for either
a covered entity or a business associate.

For example, Catholic Health Care Services of the Archdiocese of
Philadelphia (CHCS) agreed to pay $650,000 earlier this year as part of a
OCR settlement. CHCS provided management and information technology
services as a BA to six skilled nursing facilities.

OCR had received separate notifications in February 2014 from all six of
CHCS’ nursing homes that a mobile device had been stolen, potentially
compromising 412 individuals’ information.

The investigation also revealed that CHCS had not conducted “an accurate
and thorough assessment of the potential risks and vulnerabilities to the
confidentiality integrity, and availability of e-PHI held by CHCS” from the
compliance date of the HIPAA Security Rule to the present.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160930/65aa54b1/attachment.html>