Matthew Redding contributed to this post.

It’s a familiar story: a HIPAA breach triggers an investigation which reveals systemic flaws in HIPAA compliance, resulting in a seven-figure settlement.  A stolen laptop, unencrypted data, a missing business associate agreement, and an aggressive, noncompliant contractor add to the feeling of déjà vu.

North Memorial Health Care of Minnesota, a not-for-profit health care system, settled with the Office of Civil Rights for the Department of Health and Human Services (OCR) for $1.55 million resulting from allegations that it violated HIPAA by failing to timely implement a Business Associate Agreement with Accretive Health, Inc., a major contractor, and failing to institute an organization-wide risk analysis to address the risks and vulnerabilities to its patient information.

The OCR’s investigation arose following North Memorial’s reporting of a HIPAA breach on September 27, 2011, which indicated that an unencrypted, password-protected laptop was stolen from a workforce member of a business associate’s (BA’s) locked vehicle, impacting the ePHI of almost 10,000 individuals. The investigation further revealed that, North Memorial began providing Accretive with access to its PHI on March 21, 2011, and the parties did not enter into a business associate agreement until October 14, 2011

In addition to the fine, North Memorial is required to develop policies and procedures specific to documenting the BA relationship, modify its existing risk analysis process, and develop and implement an organization-wide risk management plan. The Resolution Agreement is available here.

In a press release, OCR director Jocelyn Samuel said:

“Two major cornerstones of the HIPAA Rules were overlooked by this entity.  Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”

Accretive Health, Inc. may be a familiar name to readers of this blog.  In 2012, the Minnesota Attorney General’s office filed suit against Accretive for allegedly mining, analyzing and using their hospital clients’ data for purposes that were not disclosed to patients and which may adversely affect their access to care.  This suit was subsequently settled for $2.5 million under an agreement under which Accretive agreed to cease operations in Minnesota.  The AG’s lawsuit was triggered by the same laptop theft which compromised the healthcare data of North Memorial and another facility, Fairview Health  Services.  One stolen, unencrypted laptop of a BA has resulted in over $4 million in aggregate liabilities to three covered entities.

The lessons for covered entities from this continuing saga are clear:

  • Encrypt your electronic data. All of it, everywhere it resides and whenever it is transmitted, and pay particular attention to laptops, mobile devices and media.  (While you’re at it, be sure to protect paper data as well and shred it when it is no longer needed  — it can be easily exploited by thieves and dumpster-divers).
  • Make sure you have Business Associate Agreements with all business associates, and review them to make sure they are current and require appropriate safeguards and indemnify you from the costs of the BA’s breaches.
  • Know your BAs and control what they do with your data.  Accretive’s alleged aggressive collection efforts, such as accosting patients on gurneys in the emergency department or while recovering from surgery, did not reflect well on their hospital clients.
  • Do not take your HIPAA obligations lightly.  North Memorial’s incomplete HIPAA implementation and lack of attention to risk analysis may have contributed to the severity of the result.

Is the PHI on all your mobile devices encrypted?  If not, here’s another two million reasons to make encryption your top priority. The Office of Civil Rights (OCR) of the Department of Health and Human Services announced on April 22, 2014 that they had imposed nearly $2 million in penalties on two entities as a result of the theft of unencrypted laptops.

As previously noted in this blog, theft or loss of laptops or other portable electronic devices remains a predominant factor in HIPAA breaches, constituting 57.5% of the approximately 400 List Breaches that involved reported theft or loss as of August 2013.

In the first incident, Concentra Health Services was fined $1,725,220 and agreed to adopt a corrective action plan after an OCR investigation following a report of the theft of an unencrypted laptop from a physical therapy clinic.  According to the press release,

“OCR’s investigation revealed Concentra had previously recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information (ePHI) was a critical risk.  While steps were taken to begin encryption, Concentra’s efforts were incomplete and inconsistent over time leaving patient PHI vulnerable throughout the organization. OCR’s investigation further found Concentra had insufficient security management processes in place to safeguard patient information.”

This isn’t Concentra’s first experience with laptop theft. The OCR list of Breaches Affecting 500 or More Individuals (also known as the “Wall of Shame”) includes two prior similar incidents, one in 2009 and another in 2011. (It is unclear whether this theft was related to the 2011 incident). Modern Healthcare reports that Concentra reported 16 additional breaches involving fewer than 500 individuals’ records.  So, although 434 out of 597 laptops had been encrypted according to, a batting average of .726 wasn’t good enough given their status as repeat offenders. Concentra’s resolution agreement, including the Corrective Action Plan, is available here and is worth reading.  Among other conditions, OCR requires that the company provide an update regarding its encryption status, including the percentage of all Concentra devices and equipment (laptops, desktops, medical equipment, tablets, and other storage devices) that are encrypted and an explanation for the percentage of devices and equipment that are not encrypted.

The company’s incomplete and inadequate implementation of compliance steps after known vulnerabilities had been identified may also have contributed to the severity of the penalty.  One of the worst things a covered entity or business associate can do is to engage in a half-hearted compliance effort that documents knowledge of uncorrected problems.

In the second case, Arkansas-based QCA Health Plan reported the theft of an unencrypted laptop containing records of 148 individuals. OCR noted that its investigation revealed that QCA failed to comply with multiple requirements of the HIPAA Privacy and Security Rules, beginning from the compliance date of the Security Rule in April 2005 and ending in June 2012. QCA agreed to pay $250,000 and implement upgraded security procedures and employee training. QCA’s Resolution Agreement and Corrective Action Plan is here. This case marks only the second time OCR has fined an entity for a breach involving less than 500 individuals’ PHI, following the Hospice of North Idaho settlement.

One lesson is clear from both incidents: if these laptops had been encrypted in accordance with NIST standards, neither entity would have been subjected to fines and additional government oversight.  As enforcement continues to ramp up and target both Covered Entities and Business Associates, and as the use of mobile devices continues to increase, there is no excuse to delay full implementation of encryption.  Encryption isn’t a panacea, but it’s as close as you can get in the HIPAA compliance world.

Once again, a healthcare worker’s inability to resist the temptation to snoop in her employer’s medical records has resulted in criminal prosecution. In the latest incident, a Vermont ultrasound technologist improperly accessed the electronic medical records of her husband’s former wife and her children, allegedly over a period of 12 years. The victim, also employed by the same hospital, was frustrated by the hospital administration’s delays in responding to her complaints and notified others including the FBI, her state senator and the American Civil Liberties Union before action was taken.

The Rutland, VT Herald reports that Kathy Tatro of Bennington, VT pleaded guilty to four counts of unauthorized access to computer records in a plea bargain that imposed probation and required her to serve 160 hours of community service, which will include talking to medical employees about the importance of privacy regarding patient records. The Bennington Banner reports that Ms. Tatro was given a 6-12 month suspended sentence, 2 years probation and a $2,000 fine.

This blog has noted other instances of snooping leading to serious consequences, including the case of a UCLA researcher sentenced to prison time for reading records of celebrities and co-workers, a Texas nurse fired for unauthorized access, a California hospital fined after employees accessed Michael Jackson’s records, a New York hospital that suspended employees for accessing George Clooney’s records after a motorcycle accident, and the termination of 16 hospital employees for accessing the records of an injured first-year resident.

The Vermont ACLU claims that this incident is “believed to be the most extensive breach of personal electronic medical records ever reported in Vermont.” The ACLU noted that the victim had explained in court how the system let her down.

“No investigation was begun nor any remedial action taken until she spoke up, complained, and dogged doctors, hospital administrators and trustees, state officials, federal officials, police officers, and the state’s attorney to do something. The privacy protections in place don’t work on their own; you have to fight to protect your rights.”

Based on reports, it appears this case was brought solely under state privacy laws, not HIPAA. It is not clear whether the Vermont Attorney General was involved, even though it seems that the victim alerted a variety of authorities.  

This case is yet another cautionary tale that should be considered by anyone in a position to access health records without a legitimate purpose, as well as by hospitals and other covered entities who should reevaluate the safeguards they have in place to track and prevent or at least discourage unauthorized access. 

In a press release dated July 27, 2010, the Department of Health and Human Services announced a settlment under which Rite Aid Corporation and its affiliates have agreed to pay $1 million to settle potential HIPAA violations.   The pharmacy chain also entered into a consent order with the Federal Trade Commission.

HHS reports that the investigation was triggered by television media videotaped incidents in which pharmacies were shown to have disposed of prescriptions and labeled pill bottles containing individuals’ identifiable information in industrial trash containers that were accessible to the public.  Rite Aid stores were among the pharmacies shown in the videos.

Under the HHS resolution agreement, in addition to the $Million restitution payment, Rite Aid must implement a three-year corrective action program that includes:

  • Revising and distributing its policies and procedures regarding disposal of protected health information and sanctioning workers who do not follow them;
  • Training workforce members on these new requirements;
  • Conducting internal monitoring; and
  • Engaging a qualified, independent third-party assessor to conduct compliance reviews and render reports to HHS.

The HHS Resolution Agreement and Corrective Action Plan can be found on the OCR Website here.

In the first settlement of a HIPAA enforcement action brought by a state attorney general under the new authority granted by the HITECH Act, Connecticut Attorney General Richard Blumenthal announced that the state had entered into an agreement with Health Net for failing to secure patient health and financial information.  The AG had brought suit in January based on Health Net’s loss of a hard drive containing over 500,000 individuals’ records including clinical data, social security numbers, addresses, and other financial information. The company had concluded that the hard drive had been lost due to theft. Compounding the damage, the AG alleged that the company had delayed notifying the affected individuals for over six months.

The press release issued by the AG states:

  • Under this settlement, Health Net and its affiliates have agreed to:
    • A “Corrective Action Plan” in which Health Net is implementing several detailed measures to protect health information and other private data in compliance with HIPAA. This plan includes continued identity theft protection, improved systems controls, improved management and oversight structures, improved training and awareness for its employees, and improved incentives, monitoring, and reports.
    • A $250,000 payment to the state representing statutory damages. This payment is intended as a future deterrent to such conduct not only by Health Net, but by other insurers and health care entities that are entrusted with individuals’ private information.
    • An additional contingent payment to the state of $500,000, should it be established that the lost disk drive was accessed and personal information used illegally, impacting plan members.

The full settlement is here


The more famous the patient, the greater the temptation to peek at his or her medical records. This is why California enacted health privacy legislation in 2008. Among the latest providers to be fined by the state is Ronald Reagan UCLA Medical Center in Los Angeles,  reportedly as a result of two employees’ unauthorized access of Michael Jackson’s medical records. The LA Times indicates that the employees who accessed the records have been fired.  State regulators would not confirm that the records were Jackson’s, but the Times cites sources close to Jackson’s case who said his legal team had previously been informed by UCLA officials that Jackson’s medical files had been improperly accessed shortly after his death last year.


California’s state privacy laws, SB 541 and AB 211, which parallel HIPAA in many respects, established the California Office of Health Information Integrity which is authorized to enforce health privacy rules and impose fines on violators.  Fines range from $25,000 to $250,000 per violation.


Well-known persons whose records have been improperly viewed in California include Farrah Fawcett, Britney Spears, “Octomom” Nadya Suleman, and Maria Shriver, wife of Governor Arnold Schwarzenegger.


In a related item, the Riverside, CA Press-Enterprise reports that Community Hospital of San Bernadino has been fined $325,000 as a result of unauthorized access of over 200 patient records by a radiology technologist in 2009. Other hospitals fined include Enloe Medical Center, Rideout Memorial Hospital and San Joaquin Community Hospital, according to the California Department of Public Health.


A UCLA hospital employee was sentenced to the first reported prison term for unauthorized access of medical records earlier this year.

A former researcher at UCLA has the dubious distinction of being the first person sentenced to prison under HIPAA for snooping through medical records.

The Justice Department press release reports that the researcher, Huping Zhou, who admitted to illegally reading private and confidential medical records, mostly from celebrities and other high-profile patients, was sentenced to four months in federal prison. Zhou specifically admitted to knowingly obtaining individually identifiable health information without a valid reason, medical or otherwise. Zhou is the first person in the nation to be convicted and incarcerated for misdemeanor HIPAA offenses for merely accessing confidential records without a valid reason or authorization.

Zhou accessed patient records 323 times over a three week period after learning that he was being dismissed for poor performance.

Significantly, the DOJ stated "There is no evidence that Zhou improperly used or attempted to sell any of the information that he illegally accessed."

On March 15, 2010, the Office of Civil Rights of the Department of Health and Human Services published an update on their rulemaking and enforcement efforts under the HITECH Act.  It can be accessed here

OCR acknowleged that they are still working on rulemaking covering business associate liability; new limitations on the sale of protected health information, marketing, and fundraising communications; and stronger individual rights to access electronic medical records and restrict the disclosure of certain information.  They reminded covered entities that the HITECH inerim final rule on Breach Notification will be enforced for breaches that occur after February 22, 2010, and new civil money penalty amounts will apply to HIPAA Privacy and Security Rule violations occurring after February 17, 2010.

OCR states that its forthcoming Notice of Proposed Rulemaking and the final rule that follows will provide specific information regarding the expected date of compliance and enforcement of the remaining new requirements.  Note – this is not the same as an indefinite deferral of compliance obligations.  The safest approach remains good faith compliance with the HITECH Act now.

On October 30, 2009, the Secretary of the HHS adopted an Interim Final Rule amending HIPAA’s enforcement regulations relating to the imposition of civil monetary penalties (“CMP”). Most significantly, the Interim Final Rule distinguishes between violations occurring before February 18, 2009 and violations occurring on or after that date with regard to the penalty amount and available affirmative defenses. For violations occurring prior to February 18, 2009, the range of CMP amounts will not change (i.e., maximum penalty amount for each violation is not more than $100 and maximum penalty amount for all violations of an identical requirement or prohibition during a calendar year is not to exceed $25,000). The amendments focus on a Covered Entity’s culpability, and provide the following categories of violations and penalties per violation:

  • Category 1 – Covered Entity did not know of the violation and would not have known through the exercise of reasonable diligence (each violation: $100-$50,000);
  • Category 2 – Violation was due to a reasonable cause (each violation: $1,000 to $ 50,000);
  • Category 3 – Covered Entity demonstrated willful neglect but corrected the violation ($10,000 to $50,000); and
  • Category 4 – Covered Entity demonstrated willful neglect and did not correct the violation ($50,000).

HHS will not impose the maximum penalty in all cases, but rather, will base the penalty on the nature and extent of the violation and resulting harm, as well as other factors including the Covered Entity’s compliance history and financial condition. Regarding affirmative defenses, on or after February 18, 2009, a Covered Entity may not assert an affirmative defense that it did not know and reasonably should not have known of a violation unless it also corrects the violation during the 30-day period beginning on the first date it learned of the violation or during another period of time determined by HHS (except in the case of violations due to willful neglect—uncorrected category, which are ineligible for an extension of the 30-day period and for which a timely correction cannot serve as an affirmative defense).

The Interim Final Rule specifies that HHS may continue to provide waivers for violations due to reasonable cause and not willful neglect if the violations are timely corrected. Finally, the amendments relocate the terms “reasonable cause”, “reasonable diligence”, and “willful neglect” to signal the terms’ applicability to the entire subpart D, and require HHS to identify the applicable violation category upon which a proposed penalty is based.

HHS invited public comments on: (1) the calculation of the start of the 30-day cure period for purposes of determining the penalty tier for a violation due to willful neglect; (2) whether the reorganization of the definitions of “reasonable cause”, “reasonable diligence”, and “willful neglect” will lead to any unintended consequences; and (3) HHS’ interpretation of certain ambiguous language. Comments are due by December 29, 2009.