OCR hits Care New England Health with $400,000 HIPAA fine

The HHS Office for Civil Rights has levied another heavy fine on a covered entity for violations of the HIPAA privacy and security rules.

Three-hospital Care New England Health System (CNE) agreed to pay a $400,000 fine and complete an OCR-prescribed corrective action plan that will last for six years. As in recent OCR penalties, the chain was sanctioned because of the business associate provisions of HIPAA.

Care New England provides corporate services such as finance, human resources, information systems and security, compliance and administrative functions to its hospitals and other providers in a delivery system that serves parts of Massachusetts and Rhode Island.

Women and Infants Hospital-CROP.jpg

The HIPAA disciplinary action stemmed from CNE’s notification to OCR in November 2012 that unencrypted backup tapes holding protected health information from ultrasound studies on more than 12,000 individuals at Women & Infants Hospital in Rhode Island were lost. Information at risk included patient names, dates of birth, dates of examination, names of physician and some Social Security numbers.

Also See: OCR’s HIPAA guidance on ransomware puts pressure on providers

Consequently, the OCR investigation covered both Care New England and Women & Infants Hospital; OCR reported separate decisions for both entities.

Providing centralized corporate support to its hospitals and providers meant that Care New England served as Women & Infants Hospital’s business associate. Further, an investigation into the breach found that Women & Infants Hospital had not been complying with business associate requirements for 10 years.

“WIH provided OCR with a business associate agreement with Care New England Health System effective March 15, 2005, that was not updated until August 28, 2015, as a result of OCR’s investigation, and therefore, did not incorporate revisions required under the HIPAA Omnibus Final Rule,” the agency said in a statement.

While OCR was investigating the breach, so was the Massachusetts Attorney General’s Office, which in July 2014 reached a settlement agreement with Women & Infants Hospital that included a $150,000 fine. As a result of the state’s action, OCR did not fine the hospital.

“OCR found the consent judgment to sufficiently cover most of the conduct in this breach, including the failure to implement appropriate safeguards related to the handing of the PHI contained on the backup tapes and the failure to provide timely notification to the affected individuals,” according to the statement.

The corrective action plan imposed on Care New England is in effect for six years and available here.

Care New England issued the following statement to Health Data Management:

“On July 23, 2014, Women & Infants Hospital announced it had entered into a consent judgment with the Massachusetts Attorney General's Office and reached a settlement of $150,000 to resolve allegations that it failed to protect personal information and protected health information of some 12,000 patients in Massachusetts. We had no reason to believe that the information on the backup tapes was accessed or used improperly, but notified affected patients and provided call center support to directly address any concerns. On September 23, 2016, Care New England Health System, on behalf of each of the covered entities under its common ownership or control, agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. The settlement includes a monetary payment of $400,000 and a comprehensive corrective action plan set forth by the U.S. Department of Health and Human Services Office for Civil Rights. Care New England has and will continue to cooperate with the corrective action plan.”

For reprint and licensing requests for this article, click here.