Health System Hit with $400,000 HIPAA Fine

On September 23, the Office for Civil Rights (OCR) announced it reached a $400,000 settlement and corrective action plan (CAP) with Care New England Health System (CNE), a Rhode Island-based health system headquartered in Providence.

Although an out-of-date business associate agreement (BAA) was at the heart of the alleged HIPAA violation, the case also highlights the complex business relationships and corporate structures in the industry.

Woman & Infants Hospital of Rhode Island (WIH), a covered entity (CE) member of CNE, reported a breach affecting 14,000 individuals in November 2012. Unencrypted backup tapes containing ultrasound studies, including patient names and Social Security numbers, went missing from two of WIH’s facilities. CNE, along with providing centralized corporate support to CEs it owns, offers business associate (BA) services. In this case, CNE provided technical support and information security services for WIH.

OCR discovered that the BAA between WIH and CNE had not been updated or modified since its effective date in March 2005 and did not include implementation specifications required by the 2013 HIPAA omnibus rule. CNE and WIH finally updated the BAA in August 2015, too late to avoid OCR’s fines. In addition to the original breach, OCR determined that WIH impermissibly disclosed the protected health information of at least 14,004 individuals to CNE from September 2014 to August 2015.

CNE reached the settlement with OCR on behalf of each of its CEs and agreed to a CAP. Under the terms of the CAP, CNE must revise and update its BAA policies and security incident procedures.

OCR declined to take action directly against WIH. In July 2014, WIH and the Massachusetts Attorney General’s Office reached a consent judgment and a settlement of $150,000. The consent judgment addressed most of the underlying conduct that caused the initial breach, according to OCR.