Using Non-Compliant HIPAA Business Associate Agreements
Recently, the Office for Civil Rights (“OCR”) within the U.S. Department of Health and Human Services announced a $400,000 settlement and corrective action plan with Care New England Health System (the “System”). These actions stemmed from a breach caused by the loss of unencrypted backup tapes containing the information of 14,000 patients by one of the System’s hospitals. The System was the information security provider for the hospital, and as such, was a HIPAA business associate of the hospital.
During the investigation of the breach, OCR discovered that the System had a non-compliant business associate agreement with the hospital. The System and hospital entered into a business associate agreement in 2005, but the agreement was not updated until 2015 – after OCR’s investigation. Consequently, the business associate agreement did not incorporate the revisions required under the 2013 HIPAA Omnibus Final Rule for over two years. Because of this, disclosures made by the hospital to the System under the outdated business associate agreement were impermissible, which formed the basis for the $400,000 settlement.
OCR’s latest settlement highlights the need for covered entities and their business associates to: (i) enter into compliant business associate agreements, (ii) review their business associate agreements on a regular basis to ensure they are up-to-date, and (iii) have in place policies and procedures covering when and how business associate agreements must be used and updated. It is clear from this settlement that OCR is paying attention to compliance with HIPAA’s business associate requirements.
If you have questions about the OCR settlement or compliance with HIPAA’s business associate requirements, please do not hesitate to contact Mike Burian, Taylor Fawns, Steve Johnson, or Ben Townsend at Kozak & Gayer.