Another HIPAA Settlement – $1.55 Million Following Unencrypted Laptop Theft

Post 57 of 108

$1.55 Million Settlement focuses on HIPAA requiring Business Associate Agreements

North Memorial Health Care of Minnesota entered a settlement to pay $1.55 Million resulting from allegations that it violated HIPAA for failing to enter a business associate agreement (BAA) to address risks and vulnerabilities to its patient information.

In the Office for Civil Rights (OCR) announcement, Jocelyn Samuels Director of the U.S. Department of Health and Human Services (HHS) OCR is quoted as saying “Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”

The allegations and resulting settlement relate to breach report and subsequent investigation following a theft of an unencrypted, password-protected laptop from a business associate’s workforce member’s locked vehicle involving protected health information (PHI) of 9,497 individuals.

The OCR investigation discovered that there was no BAA in place, and the business associate, Accretive Health, Inc. had access to the North Memorial’s stored electronic PHI(ePHI) of 289,904 patients as well as non-electronic PHI. The investigation also determined that North Memorial failed to complete a risk analysis to address risks and vulnerabilities related to its IT infrastructure.

As a result of the breach and subsequent investigation, North Memorial paid a hefty fine ($1.55M) plus was required to develop a risk analysis and risk management plan as required by the Security Rule, as well as train workforce members on policies and procedures, existing and developed pursuant to the corrective plan implemented by the OCR.

Lesson to be learned: Risk Analysis and Executed Business Associate Agreements are not optional under HIPAA. Compliance with HIPAA by conducting a risk assessment and entering BAAs with business associates is an important issue, not to be disregarded by Covered Entities.

By Denise Bloch

Denise Bloch

, , , , , , , , , , , , , ,


St. Louis  |  Clayton  |   Kansas City


Alton  |  Carbondale  |  Edwardsville  |  O'Fallon

The information on this website is for general information purposes only. Nothing on this site should be taken as legal advice for any individual case or situation.
This information is not intended to create, and receipt or viewing does not constitute, an attorney-client relationship. © 2014 Sandberg Phoenix & von Gontard P.C. All Rights Reserved.