Failure to Review and Update Business Associate Agreements Leads to $400,000 Settlement

​A New England health system has agreed to pay $400,000 to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules, announced the U.S. Department of Health and Human Services' (HHS) Office for Civil Rights (OCR) on September 23, 2016. The system, which provides centralized corporate support for affiliates in Rhode Island and Massachusetts, must also submit a corrective action plan. OCR received notification on November 5, 2012, from one of the system's covered entities about the loss of unencrypted backup tapes containing ultrasound studies of approximately 14,000 individuals, including patient names, dates of birth, examination dates, names of physicians, and Social Security numbers. The hospital provided OCR with a business associate agreement effective in March of 2005 that was not updated until after OCR's investigation, meaning it did not incorporate revisions required under HIPAA.