Providence, R.I.-based Care New England Health System will settle alleged HIPAA violations stemming from a 2012 data breach at Woman & InfantsHospital. Care New England, the parent company of WIH, will pay $400,000 and adopt a corrective action plan.
WIH, also in Providence, notified HHS in November 2012 of the loss of unencrypted backup tapes containing ultrasound studies of about 14,000 individuals. The backup tapes included patient names, birth dates, exam dates, physician names and some Social Security numbers.
Care New England is deemed a business associate of WIH, as it provides centralized corporate technical support and information security for the hospital. According to the resolution agreement, WIH and CNE had a business associate agreement effective March 2005, but it was not updated until August 2015 following OCR's investigation into this data breach.
OCR's investigation found WIH disclosed protected health information to CNE and allowed CNE to create, receive, maintain and transmit PHI on its behalf without having "satisfactory assurances" required under HIPAA.
"This case illustrates the vital importance of reviewing and updating, as necessary, business associate agreements, especially in light of required revisions under the Omnibus Final Rule," said OCR Director Jocelyn Samuels.
This is the second HIPAA settlement stemming from this incidence. In 2014, WIH agreed to a $150,000 settlement with the Massachusetts attorney general's office for the incident. Given this settlement, OCR decided not to include additional civil money penalties in this settlement related to the lack of appropriate safeguards, as the state's AG sufficiently addressed them.
More articles on HIPAA:
WakeMed fined for HIPAA violations in patient debt filings
From the Hippocratic Oath to HIPAA: A history of patient privacy
HIPAA compliance and the four questions to ask your cloud provider