HHS Fines Care New England for Outdated Business Agreement
Having a business associate agreement is one of the most important ways to protect your business and your client’s information from security breaches. However as shown in a recent case decided by the Department of Health and Human Services (HHS), it is just as important to review and update that agreement when the time comes. Following a security breach in 2012, involving Care New England Health System (CNE) and the patient health information (PHI) of 14,004 individuals from one of their covered entities Women & Infants Hospital of Rhode Island (WIH), CNE had to pay $400,000 in fines and put in place a corrective action plan to address the HIPPA violation. WIH in 2014 agreed to pay a $150,000 settlement with the Massachusetts Attorney General’s Office when the Office of Civil Rights found through their investigation that WIH had disclosed PHI of the 14,004 patients and allowed CNE to release PHI without any assurances as required by HIPPA. WIH as well failed to renew the business associate agreement with CNE also as required by HIPPA which would have included an agreement that CNE would safeguard the PHI of the WIH patient information. The original business associate agreement was on file as of March of 2005 and was not updated until August of 2015, when in reality the business associate agreement should have been renewed by January of 2013. All information has since been updated and all violations have been addressed according to both the OCR and HHS.