$1.55 Million HIPAA Agreement for Want of BAA as well as Risk Study Failures

The Division of Health and Human Services’ OCR has declared it has achieved an agreement with North Memorial Health Care of Minnesota on suspected HIPAA breaches from a 2011 data break. North Memorial has consented to pay $1,550,000 to OCR to settle down the HIPAA violation fees.

After a PHI break reported on September 27, 2011, OCR carried out an inquiry and found HIPAA violations that contributed to the cause of a breach of 9,497 patient health records. The investigation discovered that North Memorial had ignored “Two main cornerstones of the HIPAA Laws,” as per Jocelyn Samuels, OCR Director.

The data break involved the thievery of a laptop from a BA of North Memorial. The laptop was thieved from the employee’s automobile, and although the laptop was password-protected, the ePHI saved on the laptop hadn’t been encrypted.

The BA, Accretive Health, Inc., had been hired to perform a lot of healthcare and payment operations for North Memorial. Those operations needed Accretive Health to be provided access to a hospital databank having the ePHI of 289,904 sick persons. Non-electronic duplicates of patient health info were also given to the BA. However, before access to patient data being allowed, North Memorial hadn’t gotten an initialed duplicate of a HIPAA-compliant BAA.

According to HIPAA Laws, covered entities should get an initialed BAA from any seller that provides activities, functions or services on behalf of or for a covered entity that needs access to patient ePHI. An initialed duplicate of the BAA should be obtained prior to access to patient health data is given. The BAA should summarize the duties the BA has to make sure PHI is safe and isn’t revealed to any unapproved parties.

The inquiry also disclosed that North Memorial had not carried out a thorough risk analysis for the whole company. Therefore, North Memorial wouldn’t have been capable to find all security weaknesses and could hence not have taken action to tackle all matters.

According to OCR, a HIPAA risk analysis should cover “all mobile devices, applications, databases, software, workstations, servers, electronic media, security devices, network administration as well as associated business processes”.

In a press statement released on March 16, Samuels stated: “Organizations should have received compliant business associate contracts and a thorough and accurate risk analysis that tackles their enterprise-wide IT infrastructure.”

Besides the $1,550,000 agreement, North Memorial has agreed to abide by a Corrective Action Plan (CAP). That CAP will carry on for 2 years after the acceptance of the HIPAA compliance training programs, risk management plan, risk analysis, and policies and procedures specified in the CAP.

North Memorial should develop compliant procedures and policies with regard to its BA relationships and should get an initialed copy of a compatible BAA from all of the sellers as per HIPAA Laws. The existing procedure for carrying out risk analyses should also be modified to contain all of the electronic equipment able to touch ePHI, and data systems, as well as apps, run on behalf of or by North Memorial.

A thorough stock of all of the electronic equipment should also be made and maintained, as well as that equipment should be included in North Memorial’s risk study. A risk management plan should also be developed to cope with any weaknesses spotted and North Memorial is also needed to provide staff with additional training on BAAs as well as risk management.

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Mark Wilson

Mark Wilson is a news reporter specializing in information technology cyber security. Mark has contributed to leading publications and spoken at international forums with a focus on cybersecurity threats and the importance of data privacy. Mark is a computer science graduate.