The four-hospital, Providence, R.I.-based Care New England Health System has agreed to pay $400,000 and write a corrective action plan after a federal investigation found it lacked an up-to-date business associate's agreement between it and one of its hospitals.
The payment comes on top of a $150,000 settlement reached earlier between Women & Infants Hospital in Providence and the Massachusetts attorney general's office for potential HIPAA violations stemming from a 2012 data breach of about 14,000 patient records on 19 lost and unencrypted backup tapes.
Those missing records included patient's names, birthdates, dates of exams, physicians' names and, in some cases, the patients' Social Security numbers, according to a statement from HHS' Office for Civil Rights.
Care New England provides technical support and security services to Women & Infants and as such the healthcare system is a business associate of the hospital under the privacy and security provisions of the Health Insurance Portability and Accountability Act of 1996.
The hospital provided investigators with HHS' Office for Civil Rights a copy of its HIPAA-required business associate's agreement with Care New England, but the agreement had an effective date of March 2005 and was not updated until August 2015.
That meant the hospital had not incorporated into its business associate's agreement the required revisions under a HIPAA mega-rule released in January 2013. That rule, effective Sept. 23, 2013, had more stringent HIPAA requirements.
From then until the business associate's agreement was rewritten in 2015, the Office for Civil Rights alleged that Women & Infants Hospital “impermissibly disclosed the (HIPAA-protected medical records) of at least 14,004 individuals to its business associate."
“This case illustrates the vital importance of reviewing and updating, as necessary, business associate agreements," Office for Civil Rights Director Jocelyn Samuels said.
The federal agency, while not barred from doing so, did not pursue a penalty against Women & Infants Hospital for the data breach itself or for failing to notify affected patients since the incident was adequately covered under the Massachusetts state settlement agreement, the Office for Civil Rights statement said.
About 12,110 of the patients' affected by the breach were Massachusetts residents who had received care at a Women & Infants Hospital-operated Prenatal Diagnostics Center in New Bedford, Mass., according to a statement from Massachusetts Attorney General Martha Coakley's office.
The 2009 the American Recovery and Reinvestment Act of 2009 gave state attorneys general the authority to bring civil actions against HIPAA violators in their states.