Yesterday the U.S. Department of Health & Human Services (“HHS”) Office for Civil Rights (“OCR”) announced that North Memorial Health System of Minnesota (“North Memorial”) agreed to pay $1.5 million to settle charges that it potentially violated HIPAA Privacy and Security Rules by improperly disclosing PHI on nearly 300,000 patients during a five month period in 2011.

North Memorial reported on September 27, 2011, that an unencrypted laptop that contained electronic PHI of 6,697 patients was stolen on July 25, 2011, from an employee’s locked vehicle. North Memorial disclosed additional violations during the course of the OCR investigation.  Specifically, North Memorial disclosed that the company did not have a written business associate agreement (“BAA”) with its third party billing company, Accretive, from March 21, 2011 to October 14, 2011 when a written BAA was provided, resulting in the improper disclosure of PHI of at least 289,904 individuals.

HIPAA Privacy and Security Rules mandate that organizations must have in place a BAA with any company that has access to PHI, both non-electronic and electronic.  OCR’s investigation indicated that North Memorial gave Accretive access to its hospital database and also access to non-electronic PHI when services were performed on-site. 

HIPAA Privacy and Security Rules require a thorough and complete risk analysis to identify potential vulnerabilities and address potential risks.  OCR determined that North Memorial failed to complete a risk analysis that addressed vulnerabilities and risks to electronic PHI across its entire IT infrastructure that included all applications, software, databases, servers, workstations, mobile devices and electronic media, network administration and security devices, and associated business processes, such as those that allowed an employee to have an unencrypted laptop off-site. 

“Two major cornerstones of the HIPAA Rules were overlooked by this entity,” said Jocelyn Samuels, Director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). “Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”

In addition to the $1,550,000 payment, under the resolution agreement, North Memorial is required to develop a robust, organization-wide risk analysis and risk management plan.  North Memorial has agreed to complete this plan within 180 days and will include an inventory of all equipment that stores PHI.  North Memorial will also train appropriate workforce members on all policies and procedures newly developed or revised pursuant to this corrective action plan.  Please click here to view the Resolution Agreement and Corrective Action Plan. 

This settlement illustrates OCR’s heightened scrutiny of business associate agreements and third-party vendor relationships.  Last year OCR reached a $3.5 million settlement with Triple-S Management Corp for HIPAA violations that included not having BAAs with vendors.  A company’s PHI safeguards are only as strong as the safeguards of the vendors with whom the company does business.  Covered entities must exercise due diligence in the selection of third-party vendors, review the vendor’s cyber security and data breach plans, ensure that BAAs are in place and are being followed, review contractual obligations, and require audits of PHI safeguards.  Failure to do so not only places personal health information at risk, but can also be very costly for companies who are found to be in breach of their duties.