Business Associate-Related HIPAA Violation Results in $750,000 Fines

Posted 6.1.12 by
wpadmin
Blog

Two years ago, South Shore Hospital of South Weymouth, Massachusetts suffered a data breach when boxes of unencrypted backup tapes went missing while being shipped to their data management business associate, Archive Data Solutions, to be erased. According to HealthcareITNews.com, over 800,000 affected individuals had their personal health information compromised, including names, SSNs, financial account numbers and medical diagnoses.

The Attorney General filed suit and finally reached a settlement – the hospital was fined a $250,000 civil penalty and required to contribute $225,000 to a state fund for protected health information protection awareness.

The case stipulates that the hospital never informed their business associate that ePHI (electronic protected health information) was on the tapes, and the hospital also did not do their due diligence to ensure their business associate had the appropriate safeguards in place to protect ePHI.

South Shore Hospital was also charged with the failure to sign a business associate agreement with Archive Data. Additionally, the hospital did not have any HIPAA training program in place for its workers.

This incident and the resulting fines could have been easily avoided with a bit of forethought and a more in-depth judgement process of their business associates. As I’ve written about before in Five Questions to Ask Your HIPAA Hosting Provider, a healthcare organization or any related organization that deals with PHI and is seeking third-party vendors needs to check the following off of their list before signing a contract:

  • Business associate has been independently audited across all 54 HIPAA citations and 136 audited components; they’ve passed with 100% compliance and can show you a copy of their report.
  • They can tell you the particular technologies they’ll use to meet HIPAA security standards.
  • They have documented policies and procedures already in place, including policies related to breach notification.
  • They have proof their employees are trained on how to handle your PHI, with last completed dates of training.
  • They should have their own business associate agreement in place that defines their responsibilities when handling your PHI.

Even if your vendor is not technically a business associate, if their service in any way may affect the availability, integrity or confidentiality of your patient health information, a business associate agreement should be a solid requirement.

Read more about HIPAA violations, including specific cases, violation types, penalties, and the most common errors made by healthcare organizations that have suffered a data breach in order to avoid a breach of your own.

References:
Massachusetts Hospital to Pay $750,000 to Settle Data Breach Case


HIPAA Compliant Data CentersLooking for more information on HIPAA IT requirements, recommendations, and the foundation of a secure HIPAA compliant data center?

Download our HIPAA Compliant Data Centers white paper now for a complete guide to HIPAA hosting with IT vendors.

Still have questions about HIPAA Hosting? Contact us now. Find out more about our fully compliant, HIPAA hosting solutions, or submit a quote request for your project today.


About Otava

Otava provides the secure, compliant hybrid cloud solutions demanded by service providers, channel partners and enterprise clients in compliance-sensitive industries. By actively aggregating best-of-breed cloud companies and investing in people, tools, and processes, Otava’s global footprint continues to expand. The company provides its customers in highly regulated disciplines with a clear path to transformation through its effective solutions and broad portfolio of hybrid cloud, data protection, disaster recovery, security and colocation services, all championed by an exceptional support team. Learn more at www.otava.com.

Get started with Otava now!

  • This field is for validation purposes and should be left unchanged.