On March 16th, The Department of Health and Human Services’ Office of Civil Rights announced it’s reached a settlement with North Memorial Health Care of Minnesota for HIPAA violations stemming from a 2011 data breach. North Memorial has agreed to pay a $1,550,000 fine to OCR to settle the HIPAA violation charges.
Following a PHI breach, OCR conducted an investigation and discovered HIPAA violations that contributed to the cause of a breach of 9,497 patient health records. The investigation disclosed that North Memorial had overlooked “Two major cornerstones of the HIPAA Rules,” per OCR Director Jocelyn Samuels.
The data breach concerned the theft of a laptop from a business associate of North Memorial. The laptop computer was taken from the employee’s vehicle, and although the device was password-protected, the patient information on the device had not been encrypted.
The business associate, Accretive Health, Inc., had been contracted to perform variety of payment and attention operations on behalf of North Memorial. However, before access to patient information had been granted, North Memorial had not obtained a signed copy of a HIPAA-compliant business associate agreement (BAA).
Under HIPAA Rules, covered entities must acquire a signed BAA from any business associate that provides functions, activities or services for or on behalf of a covered entity that needs access to patient ePHI. The BAA should define the responsibilities the business associate must guarantee PHI is protected and isn’t disclosed to any unauthorized parties.
The investigation also disclosed that North Memorial had not performed a comprehensive risk analysis for the whole organization. Consequently, North Memorial wouldn’t have been able to determine all security vulnerabilities and was not capable of taking action to handle all problems.
A HIPAA risk analysis must cover “all applications, software, databases, servers, workstations, mobile devices and electronic media, network administration and security devices, and associated business processes,” per OCR.
In a handout issued on March sixteen, Samuels said “Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”
Fill In The Form Below for industry news, and information about our services, events, webinars and more.