Nothing good can happen if you share PHI with a business associate without having a business associate agreement in place. North Memorial Health Care of Minnesota (“North Memorial”) learned that lesson this week when HHS announced that it had reached a $1.55 million settlement with the hospital. The HHS investigation began after an unencrypted laptop containing PHI about North Memorial patients was stolen from the car of an employee of Accretive Health, a business associate of North Memorial.

You might be thinking: “Wait a minute; why is the hospital being held liable for a breach by a business associate?” Normally, a covered entity is not responsible for the HIPAA violations of its business associates. In this case though, HHS found that North Memorial did not have a business associate agreement in place with Accretive Health and had failed to conduct an accurate risk analysis that might have identified this vulnerability to its electronic PHI.

Here are four lessons from the North Memorial settlement:

  1. Electronic PHI should be safeguarded with encryption technology. Historically, over half of all reported breaches of PHI are related to theft or loss of a portable device.  In this case, the stolen laptop would never have been reported to HHS if it had been encrypted.
  2. Covered entities (health plans and health care providers) should not share PHI with any business associate without a valid business associate agreement in place. A business associate agreement could have protected North Memorial from any liability in this case, though HHS could have pursued Accretive Health for HIPAA violations. As additional protection to the covered entity, the business associate agreement could require that the business associate encrypt all of the electronic PHI associated with the covered entity. Finally, a business associate agreement can be a helpful guide that allocates responsibility for any reporting and corrective actions that may need to be taken in the event there is a breach of the PHI held by the business associate.
  3. The actions of a business associate can result in an investigation of the covered entity. When a breach happens to the business associate, it is required to report the breach to the covered entity, and it is the covered entity that must fulfill any reporting obligation to HHS. Any resulting HHS investigation will normally include the HIPAA compliance efforts of both the business associate and the covered entity.
  4. Covered entities and business associates must each perform a HIPAA security risk analysis. You cannot be compliant with the security rule if that fundamental step has not been taken. But beyond that, the risk assessment can shed light on areas that need immediate attention in order to prevent exposure to significant liability, like the $1.55 million resolution amount agreed to by North Memorial.