OCR fines Rhode Island health system $400,000 over BA agreements

The Department of Health and Human Services Office for Civil Rights on Friday reached a $400,000 settlement with Rhode Island-based Care New England Health System (CNE) for failing to update its business associate agreement with Woman & Infants Hospital (WIH) of Rhode Island.

The latter, in 2012, reported the loss of unencrypted ultrasound backup tapes affecting approximately 14,000 patients, according to an announcement. CNE provided technical support and information security services to the hospital, but a BA agreement initially signed in 2005 was not updated until 2015, and did not include revisions required under the HIPAA Omnibus Final Rule covering business associates.

“This case illustrates the vital importance of reviewing and updating, as necessary, business associate agreements, especially in light of required revisions under the Omnibus Final Rule," OCR Director Jocelyn Samuels said in a statement. “The Omnibus Final Rule outlined necessary changes to established business associate agreements and new requirements which include provisions for reporting."

WIH, in July 2014, reached a $150,000 settlement with the Massachusetts Attorney General’s Office, and though OCR still could levy a monetary penalty against the hospital, so far it has chosen not to since the problems have been addressed.

Privacy experts and OCR both have warned about increased HIPAA enforcement action involving business associates.