The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) continued its run of resolution agreements for HIPAA violations, pulling in $5.45 million from just two entities, North Memorial Health Care of Minnesota (NMHCM) and the Feinstein Institute for Medical Research (Feinstein), in a single week. The resolution agreements emphasize that business associate agreements and security risk analyses are “major cornerstones” of the HIPAA rules, and research institutions working with patient information are held to the same standards as covered entities for protecting patient data. Judging from these resolution agreements and our work with the OCR in its investigations, the OCR considers business associate agreements and security risk analyses as “low-hanging fruit” for covered entities’ HIPAA compliance.

The NMHCM Settlement

On March 16, 2016, NMHCM agreed to pay $1.55 million for failing to enter into a business associate agreement with a major contractor, Accretive Health, a hospital revenue cycle management company, for seven months and for failing to conduct an organization-wide risk analysis to address risks and vulnerabilities to patient information. The OCR investigation followed a report by NMHCM of the theft of a laptop from the locked vehicle of an Accretive Health employee. Accretive Health, as the business associate, had access to NMHCM’s hospital database, which contained the protected health information (PHI) of 289,904 patients. The stolen laptop was password protected but unencrypted and contained the PHI of approximately 9,497 NMHCM patients.

The Feinstein Settlement

Feinstein, a biomedical research institute sponsored by Northwell Health Inc., a large health system consisting of 21 hospitals and over 450 patient facilities and physician practices, agreed to pay $3.9 million related to a breach report submitted to OCR in 2012. Feinstein reported the theft of a laptop containing PHI of approximately 13,000 patients waiting to participate in a research study.

OCR’s investigation concluded that Feinstein failed to conduct a risk analysis and implement the following:

  • Policies and procedures for workforce access to electronic PHI (ePHI)
  • Physical safeguards for laptops containing ePHI to restrict access by unauthorized users
  • Policies and procedures that govern receipt and removal of hardware and electronic media containing ePHI into and out of a facility and movement within a facility
  • A mechanism to encrypt ePHI, or alternatively document why encryption was not reasonable and appropriate and implement an equivalent alternative measure to safeguard ePHI.