On March 16, 2016, the Office for Civil Rights (OCR) issued a press release announcing that it has settled its investigation of North Memorial Health Care System (NMHCS), located in Minnesota, for $1.55 million saying that the settlement “underscores the importance of executing HIPAA business associate agreements.”
The investigation started after NMHCS self-reported in September 2011 that an unencrypted laptop was stolen from the car of an employee of its vendor, Accretive Health, Inc., which performed billing services for NMHCS. The laptop included the protected health information (PHI) of 6,697 individuals.
The Resolution Agreement indicates that OCR alleged that NMHCS provided access to at least 289,904 of its patients’ PHI without having a Business Associate Agreement in place with Accretive.
Further, the Resolution Agreement alleges that NMHCS failed to conduct “an accurate and thorough risk analysis.”
In addition to the fine of $1.55 million, NMHCS entered into a Corrective Action Plan indicating that it would develop policies and procedures related to Business Associate relationships, modify its existing risk analysis process, develop and implement a risk management plan, train its employees, report any additional events and provide annual reports to the OCR on its progress.
There are several important lessons learned from this case. The importance of encrypting laptops cannot be underestimated, and this case is another example of a loss of data that could have been prevented if the laptop had been encrypted. Further, this fine resulted from a business associate’s data breach by failing to encrypt a laptop containing the PHI of a covered entity, which underscores the importance of evaluating business associates’ data security measures. Finally, this is the first OCR fine against a covered entity for failing to have a business associate agreement in place with the business associate. That message is loud and clear in the OCR’s press release. Covered entities may wish to take this OCR guidance and review processes in place for business associate contract management.