The Department of Health and Human Services’ Office for Civil Rights has revealed it has reached a settlement with North Memorial Health Care of Minnesota over what is claimed were HIPAA violations arising from a 2011 data breach. North Memorial has agreed to pay $1,550,000 to OCR to settle the HIPAA non-compliance penalties.
After a PHI breach reported on September 27, 2011, OCR carried out an investigation and foundd HIPAA violations that contributed to the cause of a violation of 9,497 patient health records. The investigation showed that North Memorial had failed to adhere with “Two major cornerstones of the HIPAA Rules,” according to OCR Director Jocelyn Samuels.
The data breach included the theft of a laptop computer from a business client of North Memorial. The laptop was stolen from the employee’s vehicle, and while the stolen device was password-protected, the ePHI saved on the device had not been encrypted.
The business associate, Accretive Health, Inc., had been contracted to carry out a number of payment and healthcare operations on behalf of North Memorial. Those operations required Accretive Health to have access to a hospital database containing the ePHI of 289,904 patients. Non-electronic copies of patient health data were also given to the BA. However, before access to patient data was granted, North Memorial had not received a signed copy of a HIPAA-compliant business associate agreement (BAA).
Under HIPAA Rules, covered bodies must obtain a signed BAA from any vendor that provides functions, activities or services for or on behalf of a covered body that requires access to patient ePHI. A signed copy of the BAA must be obtained before access to patient health data is provided. The BAA must describe the responsibilities the business associate has to ensure PHI is secured and is not disclosed to any unauthorized entities.
The investigation also showed that North Memorial had not completed a thorough risk analysis for the entire organization. Consequently, North Memorial would not have been aware of all security vulnerabilities and could therefore not have taken appropriate action to address all issues.
A HIPAA risk analysis must investigate “all applications, software, databases, servers, workstations, mobile devices and electronic media, network administration and security devices, and associated business processes,” according to OCR.
In a press statement released on March 16, Samuels stated “Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”
Along with the $1,550,000 settlement, North Memorial has agreed to adhere to a Corrective Action Plan (CAP). That CAP will continue for 2 years after the acceptance of the policies and procedures, risk analysis, risk management plan, and training programs outlined in the CAP.
North Memorial must formulate compliant policies and procedures with respect to its business associate relationships, and must obtain a signed copy of a compliant BAA from all of vendors in line with HIPAA Rules. The current process for completing risk analyses must also be revised to include all electronic equipment capable of touching ePHI, as well as data systems and applications run by or for North Memorial.
A complete inventory of all electronic devices must also be created and maintained, and that equipment must be reviewed in North Memorial’s risk analysis. A risk management plan must also be developed to deal with any vulnerabilities foundd and North Memorial is also required to provide staff with further training on BAAs and risk management.
Full details of the CAP and Resolution Agreement can be viewed here.