Lack of BAA and Risk Analysis Failures Lead to $1.55 Million HIPAA Settlement

by | Mar 17, 2016

The Department of Health and Human Services’ Office for Civil Rights has revealed it has reached a settlement with North Memorial Health Care of Minnesota over what is claimed were HIPAA violations  arising from a 2011 data breach. North Memorial has agreed to pay $1,550,000 to OCR to settle the HIPAA non-compliance penalties.

After a PHI breach reported on September 27, 2011, OCR carried out an investigation and foundd HIPAA violations that contributed to the cause of a violation of 9,497 patient health records. The investigation showed that North Memorial had failed to adhere with “Two major cornerstones of the HIPAA Rules,” according to OCR Director Jocelyn Samuels.

The data breach included the theft of a laptop computer from a business client of North Memorial. The laptop was stolen from the employee’s vehicle, and while the stolen device was password-protected, the ePHI saved on the device had not been encrypted.

The business associate, Accretive Health, Inc., had been contracted to carry out a number of payment and healthcare operations on behalf of North Memorial. Those operations required Accretive Health to have access to a hospital database containing the ePHI of 289,904 patients. Non-electronic copies of patient health data were also given to the BA. However, before access to patient data was granted, North Memorial had not received a signed copy of a HIPAA-compliant business associate agreement (BAA).

Under HIPAA Rules, covered bodies must obtain a signed BAA from any vendor that provides functions, activities or services for or on behalf of a covered body that requires access to patient ePHI. A signed copy of the BAA must be obtained before access to patient health data is provided. The BAA must describe the responsibilities the business associate has to ensure PHI is secured and is not disclosed to any unauthorized entities.

The investigation also showed that North Memorial had not completed a thorough risk analysis for the entire organization. Consequently, North Memorial would not have been aware of all security vulnerabilities and could therefore not have taken appropriate action to address all issues.

A HIPAA risk analysis must investigate “all applications, software, databases, servers, workstations, mobile devices and electronic media, network administration and security devices, and associated business processes,” according to OCR.

In a press statement released on March 16, Samuels stated “Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”

Along with the $1,550,000 settlement, North Memorial has agreed to adhere to a Corrective Action Plan (CAP). That CAP will continue for 2 years after the acceptance of the policies and procedures, risk analysis, risk management plan, and training programs outlined in the CAP.

North Memorial must formulate compliant policies and procedures with respect to its business associate relationships, and must obtain a signed copy of a compliant BAA from all of vendors in line with HIPAA Rules. The current process for completing risk analyses must also be revised to include all electronic equipment capable of touching ePHI, as well as data systems and applications run by or for North Memorial.

A complete inventory of all electronic devices must also be created and maintained, and that equipment must be reviewed in North Memorial’s risk analysis. A risk management plan must also be developed to deal with any vulnerabilities foundd and North Memorial is also required to provide staff with further training on BAAs and risk management.

Full details of the CAP and Resolution Agreement can be viewed here.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy