OCR fines MN hospital system $1.55 million for not having BAA with billing vendor

Robinson+Cole Data Privacy + Security Insider

On March 16, 2016, the Office for Civil Rights (OCR) issued a press release announcing that it has settled its investigation of North Memorial Health Care System (NMHCS), located in Minnesota, for $1.55 million saying that the settlement “underscores the importance of executing HIPAA business associate agreements.”

The investigation started after NMHCS self-reported in September 2011 that an unencrypted laptop was stolen from the car of an employee of its vendor, Accretive Health, Inc., which performed billing services for NMHCS. The laptop included the protected health information (PHI) of 6,697 individuals.

The Resolution Agreement indicates that OCR alleged that NMHCS provided access to at least 289,904 of its patients’ PHI without having a Business Associate Agreement in place with Accretive.

Further, the Resolution Agreement alleges that NMHCS failed to conduct “an accurate and thorough risk analysis.”

In addition to the fine of $1.55 million, NMHCS entered into a Corrective Action Plan indicating that it would develop policies and procedures related to Business Associate relationships, modify its existing risk analysis process, develop and implement a risk management plan, train its employees, report any additional events and provide annual reports to the OCR on its progress.

There are several important lessons learned from this case. The importance of encrypting laptops cannot be underestimated, and this case is another example of a loss of data that could have been prevented if the laptop had been encrypted. Further, this fine resulted from a business associate’s data breach by failing to encrypt a laptop containing the PHI of a covered entity, which underscores the importance of evaluating business associates’ data security measures. Finally, this is the first OCR fine against a covered entity for failing to have a business associate agreement in place with the business associate. That message is loud and clear in the OCR’s press release. Covered entities may wish to take this OCR guidance and review processes in place for business associate contract management.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Robinson+Cole Data Privacy + Security Insider | Attorney Advertising

Written by:

Robinson+Cole Data Privacy + Security Insider

Robinson+Cole Data Privacy + Security Insider on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.