North Memorial Health Care of Minnesota will pay a $1.55 million settlement after a potential HIPAA violation in which it failed to make a business associate (BA) agreement with a contractor and did not conduct a risk analysis to address security of patient data.
The Minnesota not-for-profit health system overlooked "two major cornerstones of the HIPAA Rules," Jocelyn Samuels, director of the Department of Health and Human Services Office for Civil Rights (OCR), said in an announcement.
The investigation by OCR started in September 2011 after a report that an unencrypted laptop was stolen from the car of an employee of the BA, Accretive Health Inc. The laptop contained electronic private health information (ePHI) for almost 9,500 patients.
North Memorial did not have an agreement in place with the BA pertaining to data security, despite the BA having access to the ePHI of 289,904 patients, according to the announcement. In addition, the health system did not "complete a risk analysis to address all of the potential risks and vulnerabilities to the ePHI that it maintained, accessed, or transmitted across its entire IT infrastructure."
As part of the settlement, North Memorial also must create a risk-analysis and risk management plan and train employees on all policies and procedures within the plan.
In November, Anna Spencer, a partner at law firm Sidley Austin LLP, said the second round of HIPAA compliance audits likely will include more enforcement actions. OCR at that time hadn't announced when the audits will resume, but did say they would start early this year.
The industry also may see HIPAA noncompliance enforcement actions soon against BAs, according to privacy attorney Adam Greene, a partner at Davis Wright Tremaine LLP in the District of Columbia. Greene, in September, said that's because OCR generally takes two to three years to settle cases, and business associates first became directly liable for HIPAA compliance in September 2013.
To learn more:
- here's the announcement