Matthew Redding contributed to this post.
It’s a familiar story: a HIPAA breach triggers an investigation which reveals systemic flaws in HIPAA compliance, resulting in a seven-figure settlement. A stolen laptop, unencrypted data, a missing business associate agreement, and an aggressive, noncompliant contractor add to the feeling of déjà vu.
North Memorial Health Care of Minnesota, a not-for-profit health care system, settled with the Office of Civil Rights for the Department of Health and Human Services (OCR) for $1.55 million resulting from allegations that it violated HIPAA by failing to timely implement a Business Associate Agreement with Accretive Health, Inc., a major contractor, and failing to institute an organization-wide risk analysis to address the risks and vulnerabilities to its patient information.
The OCR’s investigation arose following North Memorial’s reporting of a HIPAA breach on September 27, 2011, which indicated that an unencrypted, password-protected laptop was stolen from a workforce member of a business associate’s (BA’s) locked vehicle, impacting the ePHI of almost 10,000 individuals. The investigation further revealed that, North Memorial began providing Accretive with access to its PHI on March 21, 2011, and the parties did not enter into a business associate agreement until October 14, 2011
In addition to the fine, North Memorial is required to develop policies and procedures specific to documenting the BA relationship, modify its existing risk analysis process, and develop and implement an organization-wide risk management plan. The Resolution Agreement is available here.
In a press release, OCR director Jocelyn Samuel said:
“Two major cornerstones of the HIPAA Rules were overlooked by this entity. Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”
Accretive Health, Inc. may be a familiar name to readers of this blog. In 2012, the Minnesota Attorney General’s office filed suit against Accretive for allegedly mining, analyzing and using their hospital clients’ data for purposes that were not disclosed to patients and which may adversely affect their access to care. This suit was subsequently settled for $2.5 million under an agreement under which Accretive agreed to cease operations in Minnesota. The AG’s lawsuit was triggered by the same laptop theft which compromised the healthcare data of North Memorial and another facility, Fairview Health Services. One stolen, unencrypted laptop of a BA has resulted in over $4 million in aggregate liabilities to three covered entities.
The lessons for covered entities from this continuing saga are clear:
- Encrypt your electronic data. All of it, everywhere it resides and whenever it is transmitted, and pay particular attention to laptops, mobile devices and media. (While you’re at it, be sure to protect paper data as well and shred it when it is no longer needed — it can be easily exploited by thieves and dumpster-divers).
- Make sure you have Business Associate Agreements with all business associates, and review them to make sure they are current and require appropriate safeguards and indemnify you from the costs of the BA’s breaches.
- Know your BAs and control what they do with your data. Accretive’s alleged aggressive collection efforts, such as accosting patients on gurneys in the emergency department or while recovering from surgery, did not reflect well on their hospital clients.
- Do not take your HIPAA obligations lightly. North Memorial’s incomplete HIPAA implementation and lack of attention to risk analysis may have contributed to the severity of the result.