IT Contractor Fails to Submit Paperwork leading to $3 Million Fine.
Failure to get a signature on a simple form cost a California hospital group $3 million in penalties, helping to make 2018 the most painful year yet for HIPAA violators.
When Cottage Health Systems, operator of four California hospitals, hired an outside information technology (IT) firm to maintain its electronic protected health information (ePHI), management failed to get the signed form required of all businesses providing HIPAA-covered services.
During maintenance, the IT contractor completed its tasks, but exposed patient names, addresses, dates of birth, diagnoses, lab results and other treatment information to anyone who stumbled upon the Cottage Health network – no username or password needed.
More than 62,500 patients were affected.
The breach was identified by Cottage Health and reported to the Office for Civil Rights, as required by law. On investigation, however, the missing “Business Associate Agreement” was identified by government regulators.
Contractors and vendors of HIPAA-covered providers may not always provide clinical services to patients, but these “Business Associates,” do have access to protected health information.
While a simple Business Associate Agreement may not seem like a big deal, it is a legal contract describing how the Business Associate adheres to HIPAA along with the responsibilities and risks they take on.
By the end of 2018, the OCR had levied a record $28.7 million in penalties for violations, the largest amount in HIPAA history.