[BreachExchange] $1.55 million settlement underscores the importance of executing HIPAA business associate agreements

Thu Mar 17 15:51:55 EDT 2016

http://www.hhs.gov/about/news/2016/03/16/155-million-settlement-underscores-importance-executing-hipaa-business-associate-agreements.html#

North Memorial Health Care of Minnesota has agreed to pay $1,550,000 to
settle charges that it potentially violated the Health Insurance
Portability and Accountability Act of 1996 (HIPAA) Privacy and Security
Rules by failing to enter into a business associate agreement with a major
contractor and failing to institute an organization-wide risk analysis to
address the risks and vulnerabilities to its patient information. North
Memorial is a comprehensive, not-for-profit health care system in Minnesota
that serves the Twin Cities and surrounding communities.

“Two major cornerstones of the HIPAA Rules were overlooked by this entity,”
said Jocelyn Samuels, Director of the U.S. Department of Health and Human
Services (HHS) Office for Civil Rights (OCR). “Organizations must have in
place compliant business associate agreements as well as an accurate and
thorough risk analysis that addresses their enterprise-wide IT
infrastructure.”

OCR initiated its investigation of North Memorial following receipt of a
breach report on September 27, 2011, which indicated that an unencrypted,
password-protected laptop was stolen from a business associate’s workforce
member’s locked vehicle, impacting the electronic protected health
information (ePHI) of 9,497 individuals.

OCR’s investigation indicated that North Memorial failed to have in place a
business associate agreement, as required under the HIPAA Privacy and
Security Rules, so that its business associate could perform certain
payment and health care operations activities on its behalf. North Memorial
gave its business associate, Accretive Health, Inc., access to North
Memorial’s hospital database, which stored the ePHI of 289,904 patients.
Accretive also received access to non-electronic protected health
information as it performed services on-site at North Memorial.

The investigation further determined that North Memorial failed to complete
a risk analysis to address all of the potential risks and vulnerabilities
to the ePHI that it maintained, accessed, or transmitted across its entire
IT infrastructure -- including but not limited to all applications,
software, databases, servers, workstations, mobile devices and electronic
media, network administration and security devices, and associated business
processes.

In addition to the $1,550,000 payment, North Memorial is required to
develop an organization-wide risk analysis and risk management plan, as
required under the Security Rule. North Memorial will also train
appropriate workforce members on all policies and procedures newly
developed or revised pursuant to this corrective action plan.

The Resolution Agreement and Corrective Action Plan can be found on the HHS
website at:
http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/north-memorial-health-care/index.html
.

HHS offers model business associate agreement language at:
http://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html
as
well as guidance on conducting a HIPAA Risk Analysis:
http://www.healthit.gov/providers-professionals/security-risk-assessment.

To learn more about non-discrimination and health information privacy laws,
your civil rights, and privacy rights in health care and human service
settings, and to find information on filing a complaint, visit us at
www.hhs.gov/ocr <http://www.hhs.gov/ocr/index.html>.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160317/a314bd58/attachment.html>