$1.55 Million HIPAA Settlement for Lack of BAA and Risk Analysis Failures

The Department of Health and Human Services’ Office for Civil Rights has announced it has reached a settlement with North Memorial Health Care of Minnesota over alleged HIPAA violations from a 2011 data breach. North Memorial has agreed to pay $1,550,000 to OCR to settle the HIPAA violation charges.

Following a PHI breach reported on September 27, 2011, OCR conducted an investigation and discovered HIPAA violations that contributed to the cause of a breach of 9,497 patient health records. The investigation revealed that North Memorial had overlooked “Two major cornerstones of the HIPAA Rules,” according to OCR Director Jocelyn Samuels.

The data breach involved the theft of a laptop computer from a business associate of North Memorial. The laptop was stolen from the employee’s vehicle, and while the device was password-protected, the ePHI stored on the device had not been encrypted.

The business associate, Accretive Health, Inc., had been contracted to perform a number of payment and healthcare operations on behalf of North Memorial. Those operations required Accretive Health to be given access to a hospital database containing the ePHI of 289,904 patients. Non-electronic copies of patient health information were also provided to the BA. However, prior to access to patient data being granted, North Memorial had not obtained a signed copy of a HIPAA-compliant business associate agreement (BAA).

Under HIPAA Rules, covered entities must obtain a signed BAA from any vendor that provides functions, activities or services for or on behalf of a covered entity that requires access to patient ePHI. A signed copy of the BAA must be obtained before access to patient health data is provided. The BAA must outline the responsibilities the business associate has to ensure PHI is protected and is not disclosed to any unauthorized parties.

The investigation also revealed that North Memorial had not performed a comprehensive risk analysis for the entire organization. Consequently, North Memorial would not have been able to identify all security vulnerabilities and could therefore not have taken action to address all issues.

A HIPAA risk analysis must cover “all applications, software, databases, servers, workstations, mobile devices and electronic media, network administration and security devices, and associated business processes,” according to OCR.

In a press release issued on March 16, Samuels said “Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”

In addition to the $1,550,000 settlement, North Memorial has agreed to comply with a Corrective Action Plan (CAP). That CAP will continue for 2 years following the acceptance of the policies and procedures, risk analysis, risk management plan, and training programs detailed in the CAP.

North Memorial must develop compliant policies and procedures with respect to its business associate relationships, and must obtain a signed copy of a compliant BAA from all of vendors in accordance with HIPAA Rules. The current process for conducting risk analyses must also be revised to include all electronic equipment capable of touching ePHI, as well as data systems and applications run by or on behalf of North Memorial.

A complete inventory of all electronic equipment must also be created and maintained, and that equipment must be incorporated in North Memorial’s risk analysis. A risk management plan must also be developed to deal with any vulnerabilities identified and North Memorial is also required to provide staff with further training on BAAs and risk management.

Full details of the CAP and Resolution Agreement can be downloaded here.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.