Don’t Ignore the Importance of Business Associate Agreements!
On March 16, 2016, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) entered into a $1.55 million settlement with a Minnesota health system for failure to have a business associate agreement (“BAA”) with a third party contractor and failure to implement an organization-wide risk analysis to address the risks and vulnerabilities to its patient information. OCR investigated the health system as a result of a breach report involving an unencrypted but password protected laptop that was stolen from the car of an individual employed by the third party contractor. The laptop contained electronic protected health information (“ePHI”) of 9,497 individuals. OCR’s investigation revealed that the third party contractor had access to the hospital system’s hospital database that stored the ePHI of 289,904 individuals but failed to have in place a business associate agreement. See the press release here.
Researchers Must Comply with HIPAA!
On March 17, 2016, OCR reached a settlement in the amount of $3.9 million with a biomedical research institute (“Institute”) based in New York. OCR began its investigation after being notified by the Institute that a laptop computer was stolen from employee’s car. The laptop contained ePHI of approximately 13,000 patients and research participants. Among OCR’s findings, the investigation revealed that the Institute: (1) lacked policies and procedures for authorizing access to ePHI by its employees; (2) failed to implement safeguards to restrict access to unauthorized users; (3) lacked policies and procedures to govern receipt and removal of laptops that contained ePHI into and out of its facilities; and (4) failed to implement proper mechanisms for safeguarding ePHI (i.e., encryption). This settlement is the first involving a research institute and demonstrates OCR’s commitment to promoting the privacy and security protections in health research. See the press release here.
These settlements are a reminder that covered entities, including researchers, and business associates must comply with all aspects of HIPAA. In addition, both settlements involved stolen unencrypted laptops; thus to, avoid breaches and possible fines, covered entities and business associates should ensure that laptops and other mobile devices that contain ePHI are encrypted.