Outdated HIPAA Agreement Costs Business Associate Big Bucks

Dollar Necklace


An out-of-date business associate agreement and its potential Health Insurance Portability and Accountability Act violations came with a $400,000 price tag for business associate Care New England Health System.  

The monetary settlement and comprehensive corrective action plan, came after a Department of Health and Human Services Office for Civil Rights investigation, OCR announced Sept. 23. 

Care New England Health System entered into a business associate agreement with Woman & Infants Hospital of Rhode Island in March 2005.  Under the agreement, CNE would provide WIH with centralized corporate support including technical support and information security for WIH’s information systems. 

In November 2012, WIH reported to OCR the loss of unencrypted backup tapes containing the ultrasound studies of approximately 14,000 individuals, including patient name, data of birth, date of exam, physician names and, in some instances Social Security numbers.

The business associate agreement, which was updated as a result of the OCR investigation in August 2015, failed to include revisions required under the January 2013 HIPAA Omnibus final rule.   

The OCR investigation found that: 

  • WIH disclosed protected health information and allowed its business associate, CNE, to create, receive, maintain or transmit PHI on its behalf, without obtaining HIPAA-satisfactory assurances. WIH failed to renew or modify its business associate agreement with CNE to include HIPAA Privacy and Security Rules. 
  • WIH impermissibly disclosed the PHI of at least 14,004 individuals to its business associate, CNE, without obtaining satisfactory assurances from a business associate agreement that CNE would appropriately safeguard PHI. 

Could Have Cost More

Covered entities and business associates can be subject to even larger fines for failing to institute a HIPAA-compliant business associate agreement, as some were earlier this year.  

In April 2016, Raleigh Orthopaedic Clinic, P.A. of North Carolina agreed to pay $750,000 to settle charges it potentially violated HIPAA. The company disclosed the PHI of approximately 17,300 patients to a potential business associate without securing a business associate agreement.  

In March 2016, an OCR investigation found that North Memorial Health Care of Minnesota didn’t enter into a business associate agreement or perform a risk analysis of the organization. The electronic PHI of over 9,000 individuals was compromised when an unencrypted, password protected laptop was stolen from an employee of the business associate, who later agreed to pay $1,550,000.  

Gain access to the most reliable source for comprehensive pension and benefits and executive compensation research with a free trial to the Benefits Practice Resource Center.