For our HIPAA-covered entity readers, we have asked these questions before: Have you taken a business associate inventory ? Have you undertaken a comprehensive risk assessment as required by HIPAA?
It's all getting real - read on.
As we and our sister blog have repeatedly emphasized, if you are a "Covered Entity" for HIPAA purposes, you must ensure that you have compliant business associate agreements (“BAAs”) in place with all of your business associates and must ensure that you have performed a comprehensive risk assessment. Otherwise, it will cost you. A $1.55 million settlement between North Memorial Health Care of Minnesota (“NMHC”) and the Office for Civil Rights (“OCR”) announced recently emphasizes the seriousness of these requirements.
NMHC came under investigation by OCR after a September 2011 breach involving the theft of an unencrypted laptop from a business associate’s employee’s car. The laptop contained the electronic protected health information of nearly 10,000 individuals. The investigation uncovered that NMHC had not entered into a BAA with the business associate, Accretive Health, when it engaged Accretive in March 2011 and did not enter into a BAA until October 2011. During this interim period, Accretive had access to the protected health information of more than 250,000 individuals. Additionally, OCR found that NMHC had not conducted an accurate and thorough enterprise-wide risk analysis.
In addition to the $1.55 million fine, NMHC agreed to enter into a corrective action plan (“CAP”) requiring it to develop policies and procedures related to business associate relationships, complete a risk assessment and develop and implement a risk management plan, and develop training for its workforce related to business associate requirements.
OCR’s announcement of the settlement was accompanied by links to its model business associate language and guidance on conducting HIPAA risk assessments. The settlement resolution agreement and the CAP are available here.