Minnesota health system pays $1.55M after failing to make BA agreement, conduct risk analysis

OCR: North Memorial Health Care of Minnesota overlooked 'two major cornerstones of the HIPAA Rules'
Tools

North Memorial Health Care of Minnesota will pay a $1.55 million settlement after a potential HIPAA violation in which it failed to make a business associate (BA) agreement with a contractor and did not conduct a risk analysis to address security of patient data.

The Minnesota not-for-profit health system overlooked "two major cornerstones of the HIPAA Rules," Jocelyn Samuels, director of the Department of Health and Human Services Office for Civil Rights (OCR), said in an announcement.

The investigation by OCR started in September 2011 after a report that an unencrypted laptop was stolen from the car of an employee of the BA, Accretive Health Inc. The laptop contained electronic private health information (ePHI) for almost 9,500 patients.

North Memorial did not have an agreement in place with the BA pertaining to data security, despite the BA having access to the ePHI of 289,904 patients, according to the announcement. In addition, the health system did not "complete a risk analysis to address all of the potential risks and vulnerabilities to the ePHI that it maintained, accessed, or transmitted across its entire IT infrastructure."

As part of the settlement, North Memorial also must create a risk-analysis and risk management plan and train employees on all policies and procedures within the plan.

In November, Anna Spencer, a partner at law firm Sidley Austin LLP, said the second round of HIPAA compliance audits likely will include more enforcement actions. OCR at that time hadn't announced when the audits will resume, but did say they would start early this year.

The industry also may see HIPAA noncompliance enforcement actions soon against BAs, according to privacy attorney Adam Greene, a partner at Davis Wright Tremaine LLP in the District of Columbia. Greene, in September, said that's because OCR generally takes two to three years to settle cases, and business associates first became directly liable for HIPAA compliance in September 2013.

To learn more:
- here's the announcement

Related Articles:
BAs and HIPAA: Who they are, how to assess them and the importance of compliance structure
More enforcement likely in second round of HIPAA audits, attorney says
Expect HIPAA noncompliance fines for BAs soon, attorney says
Health attorney Gerald DeLoss: Data sharing, use agreements in the midst of an evolution