OCR Announces HIPAA Settlement and New FAQ on Business Associate Agreements.

Date posted: October 4, 2016

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently announced a settlement involving the failure to review and update a business associate agreement (BAA), under the Health Insurance Portability and Accountability Act (HIPAA).  Care New England Health System (CNE) provides administrative and other support for affiliated covered entities, including Woman & Infants Hospital of Rhode Island (WIH).  CNE paid OCR $400,000 and entered into a corrective action plan on behalf of WIH following the loss of unencrypted tapes of ultrasound studies for roughly 14,000 patients.  The tapes contained patient names, birth dates, exam dates, physician names, and social security numbers.

WIH and CNE executed a BAA in March 2005 for CNE to provide technical support and security for WIH information systems.  However, the BAA was not updated until August 2015 and did not include revisions required under the HIPAA Omnibus Final Rule.  OCR therefore found that WIH impermissibly disclosed PHI to CNE without obtaining satisfactory assurances under HIPAA confirming that CNE would appropriately safeguard the PHI.  WIH reached a settlement of $150,000 for the underlying breach and entered into a consent judgment with the Massachusetts Attorney General’s Office.

Further, OCR recently issued guidance addressing whether business associates may block or terminate a covered entity’s access to PHI maintained by the business associate for the covered entity.  The FAQ clarifies that business associates may not use such information for a purpose or result that would violate HIPAA.  The FAQ further clarifies that business associates are responsible for ensuring the availability of PHI that it creates, receives, maintains, or transmits on behalf of a covered entity.  The covered entity must be able to use and access the PHI, whether it is maintained in an electronic health record, cloud, data backup system, database, or other system.

OCR HIPAA News Releases & Bulletins are available at:


The OCR Frequently Asked Question on covered entity access to PHI maintained by a business associate is available at:


Department of Health and Human Services Office for Civil Rights.  “HIPAA Settlement Illustrates the Importance of Reviewing and Updating, as Necessary, Business Associate Agreements.”  Press Release.  23 Sept. 2016.

Department of Health and Human Services Office for Civil Rights.  “May a business associate of a HIPAA covered entity block or terminate access by the covered entity to the protected health information (PHI) maintained by the business associate for or on behalf of the covered entity?”  Frequently Asked Questions.  28 Sept. 2016.

‹ Return to the Main News Page
‹ Return to the CRC Homepage