Skip to Content

How a Recent HIPAA Settlement Impacts Benefit Plans

Publications - Client Alert | October 13, 2016

Care New England Health System (“CNE”) recently agreed to pay $400,000 and enter into a corrective action plan with the U.S. Department of Health & Human Services’ Office for Civil Rights (“OCR”) to resolve HIPAA violations resulting, in part, from its failure to have in place an updated Business Associate Agreement (“BAA”) with Woman & Infants Hospital of Rhode Island (“WIH”), one of CNE’s affiliated covered entities. This latest settlement comes on the heels of the $150,000 settlement WIH reached with the OCR in 2014.

Background

Acting as a business associate, CNE provides centralized corporate support, such as information security, to its affiliated covered entities, including WIH. On November 5, 2012, the OCR received notification from WIH that a breach of unsecured electronic PHI had occurred because unencrypted backup tapes containing electronic PHI were missing from two of its facilities. From 2012 until 2014, the OCR investigated WIH and found its procedures were deficient. As part of the 2014 settlement, WIH agreed to take steps to ensure future compliance with state and federal data security laws and regulations, including maintaining an up-to-date inventory of the locations, custodians, and descriptions of unencrypted electronic media and paper patient charts containing personal information and PHI. The hospital also agreed to perform a review and audit of security measures and to take corrective measures recommended in the review.

OCR Findings

As part of the OCR’s investigation of the breach, the OCR discovered that although there was a business associate agreement between CNE and WIH (effective March 15, 2005), it had not been updated until August 28, 2015, which was a result of the OCR’s investigation. Therefore, for a period of time, the BAA did not include all the requirements for BAAs that were mandated by the HIPAA Omnibus Final Rule (“Final Rule”) that went into effect in 2013. Despite this deficiency, WIH was disclosing PHI to CNE.

As a result, the OCR found the following:

  1. WIH disclosed PHI to CNE without obtaining satisfactory assurances, as required by HIPAA.
  2. WIH failed to renew or modify its existing BAA with CNE to include the implementation specifications required by the HIPAA Privacy and Security Rules under the Final Rule.
  3. WIH impermissibly disclosed PHI of over 14,000 individuals as result of the outdated BAA that did not provide specific HIPAA-required terms in connection with safeguarding PHI.

Corrective Action Plan

In addition to paying $400,000 to settle the HIPAA violation, CNE (without admitting liability) was also required to enter into and comply with a two-year Corrective Action Plan (“CAP”) with the OCR that has specific requirements, of which covered entities should take notice. The requirements include:

  1. Providing the OCR updated and revised HIPAA-compliant policies and procedures within 90 days of the effective date of the CAP and thereafter revising the policies and procedures within 60 days of the OCR’s responses.
  2. Training all workforce members on CNE’s HIPAA policies and procedures within 90 days of their implementation or within 90 days of when a person becomes a member of CNE’s workforce.
  3. Reporting to the OCR within 30 days of its determination that a workforce member violated HIPAA.
  4. Providing the OCR with an “Implementation Report” within 120 days after its receipt of the OCR’s approval of CNE’s training proposals. Such Implementation Report includes a copy of all training materials and an attestation signed by an owner or officer of CNE that all workforce members completed the required trainings.

Action Items

This settlement by CNE should be a warning for all covered entities and business associates. The failure to have proper business associate agreements in place could prove especially costly given the OCR’s current aggressive stance on enforcement. As a result, we recommend that employers of group health plans and business associates take the following action:

  • Promptly review all existing BAAs to ensure they were amended to comply with the Final Rule.
  • Promptly review template BAAs to ensure they comply with the Final Rule.
  • Promptly amend existing BAAs that do not comply with the Final Rule.
  • Review all service provider relationships to ensure that BAAs are in place with all business associates.
  • Schedule periodic reviews of BAAs and service agreements to prevent gaps in compliance.
  • Ensure you maintain an up-to-date inventory of the locations, custodians, and descriptions of unencrypted electronic media and paper patient charts containing personal information and PHI.

Additional Information

If you have any questions regarding HIPAA compliance, preparing or negotiating BAAs, addressing HIPAA breaches, or responding to OCR requests for information or investigations, please contact a member of our Employee Benefits Practice Group listed below.