As we have repeatedly emphasized on this blog, HIPAA Covered Entities must ensure that they have compliant business associate agreements (“BAAs”) in place with all of their business associates and must ensure that they have performed a comprehensive risk assessment. A $1.55 million settlement between North Memorial Health Care of Minnesota (“NMHC”) and the Office for Civil Rights (“OCR”) announced this week emphasizes the seriousness of these requirements.
NMHC came under investigation by OCR after a September 2011 breach involving the theft of an unencrypted laptop from a business associate’s employee’s car. The laptop contained the electronic protected health information of nearly 10,000 individuals. The investigation uncovered that NMHC had not entered into a BAA with the business associate, Accretive Health, when it engaged Accretive in March 2011 and did not enter into a BAA until October 2011. During this interim period, Accretive had access to the protected health information of more than 250,000 individuals. Additionally, OCR found that NMHC had not conducted an accurate and thorough enterprise-wide risk analysis.
In addition to the $1.55 million fine, NMHC agreed to enter into a corrective action plan (“CAP”) requiring it to develop policies and procedures related to business associate relationships, complete a risk assessment and develop and implement a risk management plan, and develop training for its workforce related to business associate requirements.
OCR’s announcement of the settlement was accompanied by links to its model business associate language and guidance on conducting HIPAA risk assessments. The settlement resolution agreement and the CAP are available here.