HHS recently entered into a Resolution Agreement with North Memorial Health Care of Minnesota (“North Memorial”) to settle charges that North Memorial potentially violated HIPAA by failing to (1) enter into a business associate agreement with a major contractor and (2) implement a comprehensive risk analysis with respect to the security of its patients’ protected health information. OCR launched an investigation of North Memorial after an unencrypted laptop was stolen from the vehicle of an employee of its business associate. As part of the settlement, North Memorial agreed to pay HHS $1.55 million and to a corrective action plan under which North Memorial must, among other conditions, review and revise its HIPAA policies, procedures, and training as well as develop an organization-wide risk analysis and risk management plan.

The Resolution Agreement is available here.