North Memorial Healthcare has agreed to pay the Department of Health and Human Services’ Office for Civil Rights (OCR) $1.5 million for failing to obtain a HIPAA-compliant business associate agreement from a major contractor. North Memorial also failed to conduct a comprehensive, organization-wide risk analysis according to a statement issued by the OCR.
The OCR initiated an investigation into North Memorial Healthcare after receiving a data breach report in September 2011. A laptop computer belonging to an Accretive Health employee was stolen from a locked vehicle, resulting in the exposure of 9,497 individuals’ ePHI. During the course of the investigation, OCR discovered that North Memorial had provided Accretive Health, Inc., with access to its database to allow certain payment and healthcare operations to be performed on its behalf. The database contained the protected health information of 289,904 North Memorial patients.
However, North Memorial had not entered into a business associate agreement with Accretive Health. No signed agreement existed between the two organizations at the time that ePHI access was provided. The Health Insurance Portability and Accountability Act requires all covered entities to enter into a business associate agreement with all business associates that are provided with access to the protected health information of patients. A signed BAA must be obtained prior to ePHI being disclosed to a business associate.
If a BAA is not issued, a business associate may not be aware that certain precautions must be taken when handling ePHI, and that appropriate safeguards must be put in place to ensure ePHI is secured and unauthorized access is prevented.
OCR investigators determined that access to ePHI had been granted to Accretive Health on March 21, 2011, yet a written agreement had not been obtained until October 14, 2011, more than 6 months later.
That was not the only violation of HIPAA Rules discovered by OCR investigators. North Memorial had not conducted an organization-wide risk analysis to identify security vulnerabilities that placed ePHI at risk.
The OCR reported that the risk analysis should have covered all software, applications, databases, workstations, servers, portable electronic devices, security devices, network administration, and all associated business practices. If organizations do not conduct risk analyses, risks can be allowed to persist which could result in ePHI being exposed, compromised, or stolen.
In addition to the payment of the $1,550,000 fine, North Memorial must comply with a corrective action plan (CAP). Under the CAP, North Memorial must conduct an organization-wide risk analysis and provide further training to all appropriate employees on new policies and procedures detailed in the CAP.