On September 23, the U.S. Department of Health and Human Services' Office for Civil Rights (OCR) announced that it reached a $400,000 settlement with Care New England Health System of Providence, R.I., which owns and operates hospitals and provider groups. The settlement included a corrective action plan.
Care New England reported that one of its hospitals, Women & Infants Hospital of Rhode Island (WIH), lost unencrypted backup tapes that contained ultrasound data for roughly 14,000 patients in late 2012. During its investigation the OCR discovered that Care New England's business associate agreement (BAA) with WIH hadn't been updated since 2005.
Day Pitney's Eric Fader commented on the settlement in a September 23 article, "Hospital Data Breach Leads to HHS $400K Settlement," in Bloomberg BNA's Privacy Law Watch, and a September 26 article, "HHS Settlement Shows Need for Updated Business Associate Agreement," in Bloomberg BNA's Health Care Daily Report.
Eric said he was surprised that the OCR was still stressing the need for updated BAAs, especially after publicizing two settlements earlier this year (discussed here) with covered entities that lacked BAAs. He predicted that the OCR is likely to move on to other topics in its future provider education efforts, unless its ongoing Phase 2 HIPAA audits reveal that BAAs continue to be a problem area.
"The relatively low settlement amount of $400,000 suggests to me that the OCR recognizes that Care New England's violation was not as serious a violation as never having entered into a BAA would have been," Eric added.
For more articles and regular updates on legislative changes, regulatory developments and other news of interest to businesses, professionals and investors in the healthcare industry, please subscribe to Day Pitney's mailing lists.
Click here for more Healthcare Blogs from Day Pitney
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
