<div dir="ltr"><a href="http://www.hhs.gov/about/news/2016/03/16/155-million-settlement-underscores-importance-executing-hipaa-business-associate-agreements.html#">http://www.hhs.gov/about/news/2016/03/16/155-million-settlement-underscores-importance-executing-hipaa-business-associate-agreements.html#</a><br><p>North Memorial Health Care of Minnesota has agreed to pay $1,550,000
to settle charges that it potentially violated the Health Insurance
Portability and Accountability Act of 1996 (HIPAA) Privacy and Security
Rules by failing to enter into a business associate agreement with a
major contractor and failing to institute an organization-wide risk
analysis to address the risks and vulnerabilities to its patient
information. North Memorial is a comprehensive, not-for-profit health
care system in Minnesota that serves the Twin Cities and surrounding
communities.</p>
<p>“Two major cornerstones of the HIPAA Rules were overlooked by this
entity,” said Jocelyn Samuels, Director of the U.S. Department of Health
and Human Services (HHS) Office for Civil Rights (OCR). “Organizations
must have in place compliant business associate agreements as well as an
accurate and thorough risk analysis that addresses their
enterprise-wide IT infrastructure.”</p>
<p>OCR initiated its investigation of North Memorial following receipt
of a breach report on September 27, 2011, which indicated that an
unencrypted, password-protected laptop was stolen from a business
associate’s workforce member’s locked vehicle, impacting the electronic
protected health information (ePHI) of 9,497 individuals.</p>
<p>OCR’s investigation indicated that North Memorial failed to have in
place a business associate agreement, as required under the HIPAA
Privacy and Security Rules, so that its business associate could perform
certain payment and health care operations activities on its behalf.
North Memorial gave its business associate, Accretive Health, Inc.,
access to North Memorial’s hospital database, which stored the ePHI of
289,904 patients. Accretive also received access to non-electronic
protected health information as it performed services on-site at North
Memorial.</p>
<p>The investigation further determined that North Memorial failed to
complete a risk analysis to address all of the potential risks and
vulnerabilities to the ePHI that it maintained, accessed, or transmitted
across its entire IT infrastructure -- including but not limited to all
applications, software, databases, servers, workstations, mobile
devices and electronic media, network administration and security
devices, and associated business processes.</p>
<p>In addition to the $1,550,000 payment, North Memorial is required to
develop an organization-wide risk analysis and risk management plan, as
required under the Security Rule. North Memorial will also train
appropriate workforce members on all policies and procedures newly
developed or revised pursuant to this corrective action plan.</p>
<p>The Resolution Agreement and Corrective Action Plan can be found on the HHS website at: <a id="anch_29" href="http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/north-memorial-health-care/index.html">http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/north-memorial-health-care/index.html</a>.</p>
<p>HHS offers model business associate agreement language at: <a id="anch_30" href="http://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html">http://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html</a> as well as guidance on conducting a HIPAA Risk Analysis: <a id="anch_31" href="http://www.healthit.gov/providers-professionals/security-risk-assessment"> http://www.healthit.gov/providers-professionals/security-risk-assessment</a>.</p>
<p>To learn more about non-discrimination and health information privacy
laws, your civil rights, and privacy rights in health care and human
service settings, and to find information on filing a complaint, visit
us at <a id="anch_32" href="http://www.hhs.gov/ocr/index.html">www.hhs.gov/ocr</a>.</p>
<br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><span style="font-family:arial,helvetica,sans-serif"><span style="font-size:8pt"></span></span><div><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr">
</div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
</div>