Earlier this month, Care New England Health System (CNE), on behalf of the entities underneath its ownership, settled violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with a payment of $400,000 and submitting a comprehensive action plan.
CNE handles the financial, human resources, information services and technical support, insurance, compliance, and administrative functions for all its providers, which are located mainly in Massachusetts and Rhode Island.
On Nov. 5, 2012, the Woman & Infants Hospital of Rhode Island (WIH), an entity under CNE, reported a loss of unencrypted backup tapes to the U.S. Department of Health and Human Services Office for Civil Rights (OCR). The tapes contained 14,000 ultrasounds and included patient name, date of birth, and, in some instances, Social Security numbers. On March 15, 2005, CNE was contracted to handle WIH’s information security, but that agreement was never updated, meaning revisions required under HIPAA since 2005 were never addressed.
The department’s investigation found that WIH and CNE transmitted protected health information (PHI) without obtaining HIPAA requirements assurances via the business associate agreement.
“This case illustrates the vital importance of reviewing and updating, as necessary, business associate agreements, especially in light of required revisions under the Omnibus Final Rule,” said Jocelyn Samuels, director of OCR. “The Omnibus Final Rule outlined necessary changes to established business associate agreements and new requirements which include provisions for reporting. A sample business associate agreement can be found on OCR’s website to assist covered entities in complying with this requirement.”
Find the corrective action plan submitted by CNE and WIH as part of the settlement here.