Deeper Than the Headlines: $400k Faulty BA

According to OCR, Care New England Health System (CNE) has common ownership or control of over 8 covered entity hospitals or clinics in Rhode Island and Massachusetts. In November of 2012, OCR received notification from one of CNE’s hospitals, Woman & Infants Hospital of Rhode Island (WIH), that unencrypted backup tapes containing the ultrasound studies of approximately 14,000 individuals had been lost. The tapes contained information that included the patient’s name, data of birth, date of exam, physician names, and, in some instances, Social Security Numbers.

CNE was WIH’s business associate that provided centralized corporate support including technical support and information security for WIH’s information systems. WIH provided OCR with the business associate agreement between WIH and CNE that was effective on March 15, 2005, but was never updated until August of 2015, as a result of OCR’s investigation.

The HIPAA Omnibus Final Rule had many required revisions that needed to be updated in business associate agreements (BAA). The deadline, September 23, 2013, was widely known in HIPAA compliance circles. Many covered entities worked hard to update those BAAs before the deadline. There was a ‘grandfathering’ provision for BAAs that complied with the old law and were in force before January 25, 2013, (and was not renewed or modified from March 26, 2013, on). Those BAAs did not need to be revised until the agreement’s expiration date or September 23, 2014, whichever came first.

According to OCR’s resolution agreement with CNE, it appears that the BAA in question may have fallen into this grandfathered category because the factual background and covered conduct in the resolution agreement cited the date range of September 23, 2014, to August 28, 2015 (the date of the updated BAA).

This example drives homes a couple of crucial points. First, the necessity of reviewing and updating business associate agreements is real. Jocelyn Samuels, OCR Director, stated, “This case illustrates the vital importance of reviewing and updating, as necessary, business associate agreements, especially in light of required revisions under the Omnibus Final Rule.”

Secondly, when a breach happens to even the best-intentioned of covered entities, it often opens the door for OCR to investigate and ask additional questions about an entity’s HIPAA compliance program. The $400,000 settlement and two-year corrective action plan, was the result of an outdated BAA with CNE which was discovered after WIH reported their breach. OCR did not take financial action on the original breach reported by WIH. The WIH breach had been settled previously with the Massachusetts Attorney General’s Office for $150,000. OCR specifically noted that they felt the consent judgement with the state’s attorney general was sufficient to cover the conduct of that particular breach and OCR decided not to take further action in regards to the breach. But, as evidenced by the settlement with CNE, they did take a look at the relationship between WIH and CNE and found the outdated BAA which lead to CNE’s settlement.

We all can learn a great deal in regards to business associate best practices from the two-year corrective action plan (CAP) that accompanied the resolution agreement between CNE and OCR.

The Key Areas Of OCR Requirements in the CAP Include:

1. A thorough review of general HIPAA policies and procedures followed by distribution of the policies and procedures to their workforce. Employees are required to sign or certify that they understand and will follow the policies. A key question to ask yourself is, how can I most effectively distribute policies and obtain confirmation or attestation that employees read the policy and certify they will follow them? And, where and how will I store those certifications in the event the government asks for them years down the road?
2. Annually review and update policies and procedures. What process or system will you use to track deadlines, revisions and approvals regarding annual policy reviews? Where will documentation reside that demonstrates you’ve done this?
3. Policy on business associate agreements including:
   • Designation of one or more individuals responsible for ensuring BAAs are in place and up to date.
   • A process for assessing current and future business relationships to determine when a BAA is needed.
   • A process for negotiating BAAs.
   • A process for maintaining documentation of a BAA for at least six years beyond the termination date with that BA.
   • A process to limit disclosures of PHI to business associates to the 8 minimum necessary amounts of PHI that is reasonably necessary for business associates to perform their duties.
4. Security Incident Procedures, including a requirement that all members of CNE’s workforce report to the designated Privacy/Security Officer at the earliest possible time, any attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system (“security incident”) of which they become aware.
5. Training. All workforce members need to be trained at least annually as it relates to their job function. Training needs to be reviewed annually and updated as needed. Each employee shall certify in writing or electronic form that they have completed the training. What system will you use to distribute training, document completion and store the documentation for future use?

The OCR is serious about the process that covered entities follow as it relates to business associate management. Applying the seven elements of an effective compliance program to your organization’s HIPAA compliance program can boost your readiness for unexpected breaches and the subsequent OCR investigation into your entire HIPAA compliance program that may follow. An ounce of prevention right now is worth a pound (or in this case $400,000) of cure later.