Care New England pays $400,000 HIPAA fine for lost PHI in business associate breach
Care New England Health System has agreed to pay $400,000 and employ a corrective action plan to settle HIPAA violations.
On Nov. 5, 2012, the U.S. Department of Health and Human Services Office for Civil Rights received notification from Woman & Infants Hospital of Rhode Island that unencrypted backup tapes containing the ultrasound studies of approximately 14,000 individuals, were missing. The tapes held protected health information, including patient name, date of birth, date of exam, physician names, and, in some instances, Social Security Numbers.
“This case illustrates the vital importance of reviewing and updating, as necessary, business associate agreements, especially in light of required revisions under the Omnibus Final Rule, OCR Director Jocelyn Samuels, said in a statement.
CNE provides centralized corporate support, such as finance, human resources, information services and technical, insurance, compliance and administrative functions, for its subsidiary affiliated covered entities. They include a number of hospitals and healthcare providers in Massachusetts and Rhode Island.
Women & Infants Hospital, a business associate of CNE, provided OCR with a business associate agreement with Care New England Health System effective March 15, 2005. The document had not been updated until August 28, 2015, as a result of OCR’s investigation, and did not incorporate revisions required under the HIPAA Omnibus Final Rule.
On July 17, 2014, Women and Infants entered into a consent judgment with the Massachusetts Attorney General’s Office and reached a settlement of $150,000. OCR found the consent judgment to sufficiently cover most of the conduct in this breach.
Helpful advice on planning your purchase of IDS and IPS tools: