North Memorial Health Care of Minnesota ("North Memorial"), a comprehensive not-for-profit health care system, has agreed to pay $1.55 million to settle charges that it potentially violated the HIPAA Privacy and Security Rules when it failed to enter into a business associate agreement with a contractor and also did not conduct a risk analysis to address the security of patient data. The investigation by the Department of Health and Human Services Office for Civil Rights ("OCR") began in September 2011, when a report that an unencrypted laptop containing electronic private health information ("ePHI") for 9,497 patients was stolen from the car of an employee of contractor Accretive Health, Inc. Although Accretive Health had access to the ePHI of 289,904 patients, North Memorial did not have a business associate agreement in place with the contractor. In addition to this violation, North Memorial did not complete a risk analysis to address all the potential risks to its ePHI for its enterprise-wide IT infrastructure. Not only will North Memorial pay the $1.55 million fine, but it has entered into a Corrective Action Plan whereby it will develop policies and procedures related to business associate relationships, modify existing and create new risk analysis procedures, develop and implement a risk management plan, train its employees on all new policies and procedures, report additional events, and provide annual progress reports to OCR. In addition to the press release, the Resolution and Corrective Action Plan are available on the HHS website.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.