Care New England pays $400,000 HIPAA fine for lost PHI in business associate breach

The case, which also includes Women & Infants Hospital of Rhode Island, stems from lost backup tapes housing protected health information, the Office for Civil Rights said.
By Bernie Monegain
10:41 AM
Care New England HIPAA fine

Care New England Health System has agreed to pay $400,000 and employ a corrective action plan to settle HIPAA violations.

On Nov. 5, 2012, the U.S. Department of Health and Human Services Office for Civil Rights received notification from Woman & Infants Hospital of Rhode Island that unencrypted backup tapes containing the ultrasound studies of approximately 14,000 individuals, were missing. The tapes held protected health information, including patient name, date of birth, date of exam, physician names, and, in some instances, Social Security Numbers.

“This case illustrates the vital importance of reviewing and updating, as necessary, business associate agreements, especially in light of required revisions under the Omnibus Final Rule, OCR Director Jocelyn Samuels, said in a statement.

CNE provides centralized corporate support, such as finance, human resources, information services and technical, insurance, compliance and administrative functions, for its subsidiary affiliated covered entities. They include a number of hospitals and healthcare providers in Massachusetts and Rhode Island.

Women & Infants Hospital, a business associate of CNE, provided OCR with a business associate agreement with Care New England Health System effective March 15, 2005. The document had not been updated until August 28, 2015, as a result of OCR’s investigation, and did not incorporate revisions required under the HIPAA Omnibus Final Rule.

On July 17, 2014, Women and Infants entered into a consent judgment with the Massachusetts Attorney General’s Office and reached a settlement of $150,000. OCR found the consent judgment to sufficiently cover most of the conduct in this breach. 

Helpful advice on planning your purchase of IDS and IPS tools:

Like Healthcare IT News on Facebook and LinkedIn

More regional news

A programmer using a computer.

(Photo by skynesher/GettyImages)

Tift Regional Medical Center sepsis IT

The new Tift Regional Medical Center expansion will open in the fall of 2021 in Tifton, Georgia. The 263,000-square-foot, four-story tower will include a new emergency center, inpatient units and new ICU. (Credit: Tift Regional Medical Center)

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.