Skip to Content

$400,000 HIPAA Settlement for Failure To Review and Update Business Associate Agreement

Publications - Client Alert | October 11, 2016

Care New England Health System (“CNE”), on behalf of its affiliated covered entities under its common ownership or control, agreed to pay $400,000 and enter into a corrective action plan with the HHS Office for Civil Rights (“OCR”) to resolve HIPAA violations resulting, in part, from its failure to have in place an updated Business Associate Agreement (“BAA”) with Woman & Infants Hospital of Rhode Island (“WIH”), one of CNE’s affiliated covered entities.


Acting as a business associate, CNE provides centralized corporate support to its affiliated covered entities, including WIH, such as technical support and information security.  On November 5, 2012, the OCR received notification from WIH that a breach of unsecured electronic protected health information (“PHI”) had occurred because unencrypted backup tapes containing electronic PHI were missing from two of its facilities.

OCR Findings

As part of the OCR’s investigation of the breach, the OCR discovered that although there was a business associate agreement between CNE and WIH (effective March 15, 2005), it had not been updated until August 28, 2015.  Therefore, for a period of time, the BAA did not include all the new requirements for BAAs that were mandated by the HIPAA Omnibus Final Rule (“Final Rule”) that went into effect in 2013.  Nonetheless, WIH was disclosing PHI to CNE.

As a result, the OCR found the following:

(i) WIH disclosed PHI to CNE without obtaining satisfactory assurances, as required by HIPAA.

(ii) WIH failed to renew or modify its existing BAA with CNE to include the implementation specifications required by the HIPAA Privacy and Security Rules under the Final Rule.

(iii) WIH impermissibly disclosed PHI of over 14,000 individuals as result of the outdated BAA that did not provide specific HIPAA-required terms in connection with safeguarding PHI.

Corrective Action Plan

In addition to paying $400,000 to settle the HIPAA violation, CNE (without admitting liability) also was required to enter into and comply with a two-year Corrective Action Plan (“CAP”) with the OCR that has specific requirements, of which covered entities should take notice.  The requirements include:

(i) Providing the OCR updated and revised HIPAA-compliant policies and procedures within 90 days of the effective date of the CAP and thereafter revising the policies and procedures within 60 days of the OCR’s responses.

(ii) Training all workforce members on CNE’s HIPAA policies and procedures within 90 days of their implementation or within 90 days of when a person becomes a member of CNE’s workforce.

(iii) Reporting to the OCR within 30 days of its determination that a workforce member violated HIPAA.

(iv) Providing the OCR with an “Implementation Report” within 120 days after its receipt of the OCR’s approval of CNE’s training proposals.  Such Implementation Report includes the following:

1.      A copy of all training materials, including topics covered and length of sessions.

2.      Attestation signed by an owner or officer of CNE that all workforce members completed the required trainings.

How You Should Respond

The OCR stated that “[t]his case illustrates the vital importance of reviewing and updating, as necessary, business associate agreements, especially in light of required revisions under the Omnibus Final Rule.”  Covered entities should promptly ensure their template BAAs have been reviewed and updated to reflect the requirements stemming from the Final Rule.  Covered entities should assess their relationships with those parties with whom they currently have an existing BAA to ensure it is updated.  Also, it is important that covered entities assess their relationships with third parties that may have access to their PHI and with whom there is no BAA to determine whether a business associate relationship exists and requires execution of a BAA.

Covered entities also must be mindful and proactive in training workforce members on their HIPAA obligations and particularly those workforce members who engage third-party individuals and entities that provide services for or on behalf of the covered entity and may be business associates.

Additional Information

If you have any questions regarding HIPAA Business Associate Agreements or our health care practice, please contact your Kutak Rock LLP attorney; the authors of this client alert, Ryan Portwood or Debra Fiala; or a member of our Health Care Practice Group working with HIPAA listed in the right-hand column of this page. 

For a printer-friendly pdf of this client alert, please click on the file below.

This Health Care client alert is a publication of Kutak Rock LLP. This publication is intended to notify our clients and friends of current events and provide general information about health care issues. It is not intended, nor should it be used, as legal advice, and it does not create an attorney-client relationship.

This material could be considered advertising in some jurisdictions.

The choice of a lawyer is an important one and should not be based solely upon advertisements.