[ Tuesday, September 27, 2016 ]
Why did Care New England Pay $400,000 for Failing to Update Internal BAAs?
Jeff [11:03 AM]
The healthcare system management entity is technically a business associate of the related providers, and thus there must be business associate agreements between the provider entities and the management entity. They apparently entered into appropriate agreements in 2005, but failed to update them in 2013 after the Omnibus Rule was issued.
The management entity apparently lost 19 unencrypted backup tapes
containing PHI on 14,000 individuals. There is no evidence that the tapes have been acquired by any unauthorized individual or that the information in the tapes has been used in any way. However, there's also no evidence that they haven't been acquired or used.
The State of Massachusetts fined Care New England $150,000 for the actual breach, so OCR did not fine them for the breach itself. Instead, OCR fined them for failing to update their BAAs. That is, they failed to update the BAA between the two related entities, the hospital whose data was lost and the closely-related management company.
It should be noted that the required updates from the Omnibus Rule (specific reference to subcontractors, specific reference to BA's obligations under the Security Rule, and a specific statement relating to BA's performance of CE's obligations under the Privacy Rule) have absolutely nothing to do with the breach that occurred and the potential damages.
Yes, that's right: if Care New England had done what they're paying $400,000 for failing to do, they would be in the exact same position they are now. Fixing that glitch would have had absolutely no impact on the loss of data (which actually occurred in 2012, before the Omnibus Rule was even published).
Blogger: HIPAA Blog - Edit your Template