Outdated Business Associate Agreement Results in OCR Settlement
At the end of September 2016, the Office for Civil Rights (“OCR”) announced a settlement with Care New England Health System (“CNE”), the parent company of several covered entity hospitals. The sole reason for the settlement was impermissible disclosures made as a result of an outdated business associate agreement (BAA). The settlement included a comprehensive corrective action plan and a $400,000 payment.
OCR received notification of a HIPAA breach at one of CNE’s hospitals that stemmed from the loss of unencrypted backup tapes. During the course of its investigation into this breach, OCR uncovered that the hospital had been disclosing PHI to CNE under an outdated BAA. CNE provided corporate support functions to its covered entity hospital affiliates. The only BAA in place between CNE and the hospital that experienced the breach went unchanged from 2005 until August 28, 2015, almost a full year after mandated compliance with the HIPAA Omnibus Final Rule provisions. During that year, OCR found that the hospital impermissibly disclosed the PHI of over 14,000 individuals to CNE, and that CNE impermissibly received PHI from the hospital, because the BAA between the parent and the affiliate was not updated to include the Omnibus Final Rule requirements.
OCR chose to pursue this settlement with CNE, as the BAA (parent entity) that received PHI inappropriately. The hospital that experienced the breach previously settled with the Massachusetts Attorney General and OCR found that settlement to be sufficient and therefore declined to impose additional penalties on the hospital.
This is the first instance of an OCR settlement based on failure to update a BAA for compliance with the Omnibus Final Rule. OCR uses its settlements to send a message to covered entities and business associates, so this is likely not the last settlement we will see involving an outdated BAA. It is imperative that covered entities and business associates alike review their BAAs to ensure HIPAA compliance, which includes technical compliance with the Omnibus Final Rule. Keep in mind that reporting a HIPAA breach or managing a HIPAA complaint may open the entity to a full HIPAA review, regardless of the origin of the breach or complaint. CNE’s issue started as a lost backup tape, and resulted in the entity paying nearly a half million dollars for one outdated agreement.
We want to remind you that the 2016 Baird Holm Health Law Forum will include a presentation from an OCR Investigator who has allowed our clients to submit questions in advance. You can contact Vickie Ahlers (vahlers@bairdholm.com) if you have any questions or if you would like to submit to OCR for possible inclusion in the Health Law Forum presentation.