The latest OCR HIPAA settlement illustrates just how expensive business associate data breaches can be if a HIPAA-covered entity has not obtained a signed, compliant business associate agreement (BAA).
North Memorial Health Care of Minnesota has recently agreed to pay $1,550,000 to settle HIPAA violations that were discovered when the Department of Health and Human Services’ Office for Civil Rights conducted an investigation into a 2012 data breach.
The data breach that triggered the OCR investigation was not caused by North Memorial, but occurred as a result of the actions of one of its business associates, Accretive Health. An employee of Accretive Health took a laptop computer containing PHI supplied by the hospital, and left the device in a vehicle from where it was subsequently stolen. The laptop contained the PHI of 6,697 individuals.
Since the introduction of the HIPAA Omnibus Rule, which became effective on March 26, 2013, business associates can be fined directly if they accidentally or deliberately expose or disclose protected health information (PHI) to individuals unauthorized to view the data.
Before BAs are allowed to access PHI, HIPAA requires the covered entity to obtain a signed BAA. That BAA must outline the responsibilities of the BA with respect to PHI. It should be made clear in the BAA that the HIPAA Security Rule and HIPAA Privacy Rule must be adhered to. Business associate data breaches are covered by the HIPAA Breach Notification Rule. The BA must also be made aware of its responsibilities in the event of an exposure or disclosure of PHI.
Financial Penalties for Business Associate Data Breaches
If the BA fails to comply with HIPAA Rules, civil monetary penalties can be issued. Fines of up to $50,000 can be issued by OCR for each violation discovered. The fines can rise to a maximum of $1.5 million per calendar year that the violation was allowed to persist. In cases where multiple violations are discovered, such as a Privacy Rule violation and a Security Rule violation, fines well in excess of $1.5 million are possible.
In the case of business associate data breaches, it would be the BA that is liable to pay a civil monetary penalty, although that does not mean that the covered entity will not also be fined. While business associates must make every effort to ensure they comply with HIPAA Rules, the covered entity also has a responsibility to ensure that the PHI provided to the BA is being protected and that HIPAA Rules are being adhered to. Efforts should therefore be made by the covered entity to ensure this is the case.
Had a BAA been in place, Accretive Health would be required to settle the charges for HIPAA violations. Accretive Health was required to conduct a risk analysis, as mandated by the HIPAA Security Rule, to identify potential security vulnerabilities that placed the PHI at risk of being exposed or obtained by unauthorized individuals.
When a breach occurs, OCR will investigate both the BA and the covered entity. Both may be liable to pay a civil monetary penalty if each has violated HIPAA Rules. In this case, OCR discovered that North Memorial had violated HIPAA by failing to conduct a risk analysis. Both would therefore had been likely to have to cover a settlement.
HIPAA Rules Must be Followed by All Covered Entities and Business Associates
This settlement should serve as a reminder to covered entities and their business associates that abiding by HIPAA Rules in not optional. If business associate data breaches occur as a result of violations of HIPAA Rules, an OCR financial penalty is likely to be issued.
While there does not appear to have been extensive enforcement of HIPAA Rules by OCR in recent years, covered entities and their BAs should bear in mind that financial settlements can take years to resolve. We are now seeing an increase in settlements from data breaches that occurred in 2011, 2012, and 2013. With the rise in data breaches reported in 2014 and 2015, the number of fines and settlements over the next 2-3 years is likely to increase substantially.