$1.55 Million Settlement focuses on HIPAA requiring Business Associate Agreements
North Memorial Health Care of Minnesota entered a settlement to pay $1.55 Million resulting from allegations that it violated HIPAA for failing to enter a business associate agreement (BAA) to address risks and vulnerabilities to its patient information.
In the Office for Civil Rights (OCR) announcement, Jocelyn Samuels Director of the U.S. Department of Health and Human Services (HHS) OCR is quoted as saying “Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”
The allegations and resulting settlement relate to breach report and subsequent investigation following a theft of an unencrypted, password-protected laptop from a business associate’s workforce member’s locked vehicle involving protected health information (PHI) of 9,497 individuals.
The OCR investigation discovered that there was no BAA in place, and the business associate, Accretive Health, Inc. had access to the North Memorial’s stored electronic PHI(ePHI) of 289,904 patients as well as non-electronic PHI. The investigation also determined that North Memorial failed to complete a risk analysis to address risks and vulnerabilities related to its IT infrastructure.
As a result of the breach and subsequent investigation, North Memorial paid a hefty fine ($1.55M) plus was required to develop a risk analysis and risk management plan as required by the Security Rule, as well as train workforce members on policies and procedures, existing and developed pursuant to the corrective plan implemented by the OCR.
Lesson to be learned: Risk Analysis and Executed Business Associate Agreements are not optional under HIPAA. Compliance with HIPAA by conducting a risk assessment and entering BAAs with business associates is an important issue, not to be disregarded by Covered Entities.
By Denise Bloch