A recent settlement in lieu of a civil money penalty underscores the importance of having business associate agreements in place with entities that perform a service for you or on your behalf involving protected health information (“PHI”) and the importance of performing and documenting a risk analysis, which we have harped upon continuously in this blog.
North Memorial Health Care of Minnesota agreed to pay $1,550,000 to settle charges that it had violated the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy and Security Rules by having failed to enter into a business associate agreement with a major contractor and having failed to institute an organization-wide risk analysis to address the risks and vulnerabilities to its patient information. North Memorial is a comprehensive, not-for-profit health care system in Minnesota that serves the Twin Cities and surrounding communities.
In announcing the settlement, the Department of Health and Human Services (“DHHS”) press release noted the violations. “Two major cornerstones of the HIPAA Rules were overlooked by this entity,” said Jocelyn Samuels, Director of the DHHS Office for Civil Rights (“OCR”). “Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”
OCR initiated its investigation of North Memorial following receipt of a breach report on September 27, 2011, which indicated that an unencrypted, password-protected laptop had been stolen from a business associate’s workforce member’s locked vehicle, affecting the electronic protected health information (“EPHI”) of 9,497 individuals.
OCR’s investigation indicated that North Memorial had failed to have in place a business associate agreement, as required under the HIPAA Privacy and Security Rules, so that its business associate could perform certain payment and health care operations activities on its behalf. North Memorial gave its business associate, Accretive Health, Inc., access to North Memorial’s hospital database, which stored the EPHI of 289,904 patients. Accretive also received access to non-electronic PHI as it performed services onsite at North Memorial.
The OCR investigation also showed that North Memorial had failed to complete a risk analysis to address all of the potential risks and vulnerabilities to the EPHI that it maintained, accessed, or transmitted across its entire IT infrastructure, including its associated business processes.
Our HIPAA Documents Resource Center CD, 6th ed., which accompanies our Compliance Guide to HIPAA and the DHHS Regulations, 6th ed., contains a sample business associate agreement and a business associate policy. The Compliance Guide contains a complete analysis of the business associate relationship as modified by the so-called HITECH Act.