Hospital fined $400,000 for obsolete Business Associate Agreements

In a clear message to healthcare organizations, The U.S. Department of Health and Human Services Office of Civil Rights (OCR), fined Women & Infants Hospital of Rhode Island (WIH) for not having updated HIPAA Business Associate Agreements.

WIH provided OCR with a business associate agreement with Care New England Health System effective March 15, 2005, that was not updated until Aug. 28, 2015, as a result of OCR’s investigation, and therefore, did not incorporate revisions required under the HIPAA Omnibus Final Rule,” according to a Sept. 23 OCR news release announcing the settlements.

The fine was the result of an investigation regarding a HIPAA breach back in November of 2012

WIH told federal authorities it had lost unencrypted backup tapes containing ultrasounds of 14,004 women, including patient names, dates of birth, dates of exams, physician names and, in some cases, Social Security numbers.

OCR Director Jocelyn Samuels sent a clear message regarding having updated HIPAA Business Associate Agreements

This case illustrates the vital importance of reviewing and updating, as necessary, business associate agreements, especially in light of required revisions under the Omnibus Final Rule,” said OCR Director Jocelyn Samuels.


Having signed and updated HIPAA Business Associate Agreements is required by HIPAA regulations. If an organization is audited by OCR and asked to produce their BAAs, not having complete or updated BAAs is a sure sign that the organization does not have a comprehensive or thorough HIPAA compliance program. Make sure your BAAs are updated and that you have one for every Business Associate.