Hospital Pays $400,000 HIPAA Breach Penalty for Obsolete ‘Business Associate’ Agreement

The federal investigation stemmed from the loss of unencrypted backup tapes containing patient data, which were maintained by the hospital’s parent company.

Aldrin Brown

September 27, 2016

2 Min Read
Healthcare records
A nurse files patient records in Berlin, Germany. (Photo by Adam Berry/Getty Images)


Brought to you by MSPmentor

A Rhode Island hospital agreed this month to pay $550,000 in settlements after failing to properly update business associate agreements as required under the privacy and security rules of the Health Insurance Portability and Accountability Act (HIPAA), federal authorities said.

The U.S. Department of Health and Human Services Office of Civil Rights (OCR) opened an investigation into Women & Infants Hospital of Rhode Island (WIH) after receiving a report of a data breach in November 2012.

WIH told federal authorities it had lost unencrypted backup tapes containing ultrasounds of 14,004 women, including patient names, dates of birth, dates of exams, physician names and, in some cases, Social Security numbers.

Information technology services, including information security, were handled by WIH’s parent company, Care New England Health Systems (CNE).

“WIH provided OCR with a business associate agreement with Care New England Health System effective March 15, 2005, that was not updated until Aug. 28, 2015, as a result of OCR’s investigation, and therefore, did not incorporate revisions required under the HIPAA Omnibus Final Rule,” according to a Sept. 23 OCR news release announcing the settlements.

See also:

The total amount to be paid by WIH is actually comprised of two settlements.

A $400,000 payment is intended to address the federal probe, which found that WIH disclosed protected health information (PHI) to CNE, without “obtaining satisfactory assurances as required under HIPAA,” in the form of a written business associate agreement that CNE would safeguard the PHI.

“This case illustrates the vital importance of reviewing and updating, as necessary, business associate agreements, especially in light of required revisions under the Omnibus Final Rule," said OCR Director Jocelyn Samuels.

“The Omnibus Final Rule outlined necessary changes to established business associate agreements and new requirements which include provisions for reporting,” she continued. “A sample Business Associate Agreement can be found on OCR’s website to assist covered entities in complying with this requirement.”

Another $150,000 consent judgment is being paid to the Massachusetts Attorney General’s Office in response to the hospital’s conduct in the underlying breach, including failing to provide adequate safeguards and failing to notify affected people in a timely manner.

“While the AGO’s actions do not legally preclude OCR from imposing civil money penalties, OCR determined not to include additional potential violations in this case for the purposes of settlement, given that such potential violations had already been addressed by the AGO and based on OCR’s policy approach to concurrent cases with State AGOs,” the federal news release said.

The $400,000 settlement with OCR brings the total amount of settlements for HIPAA security violations to $20.7 million this year, up sharply from $6.2 million in all of 2015.

This first ran at

Subscribe to the Data Center Knowledge Newsletter
Get analysis and expert insight on the latest in data center business and technology delivered to your inbox daily.

You May Also Like