As we've previously covered, a Business Associate Agreement (BAA) is a written contract between a Covered Entity (CE) and a Business Associate (BA). It is required for HIPAA compliance. In fact, a Covered Entity in Minnesota recently agreed to a $1.55 million fine for not having a BAA in place with one of its Business Associates.
North Memorial Health Care of Minnesota has agreed to pay $1.55M to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to implement a Business Associate Agreement with a major contractor. It also failed to conduct an organization-wide risk analysis to address the risks and vulnerabilities to its patient information.
“Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure” said Jocelyn Samuels, Director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). OCR began its investigation of North Memorial following receipt of a breach report on 27 September 2011, which indicated that an unencrypted, password-protected laptop was stolen from a Business Associate’s workforce member’s car. This stolen laptop impacted the electronic protected health information (ePHI) of 9,497 individuals.
In this case, the laptop was stolen from a Business Associate's car, not from an employee of North Memorial. As we've covered before, stolen laptops continue to be a cause of immense HIPAA fines.
OCR’s investigation uncovered that North Memorial failed to have in place a BAA, as required under the HIPAA Privacy and Security Rules. North Memorial gave its Business Associate, Accretive Health, access to North Memorial’s hospital database, which stored the ePHI of 289,904 patients. Accretive Health also received access to non-electronic protected health information as it performed services on-site at North Memorial. This isn't the first time Accretive Health has seen bad press in Minnesota. In 2012, it agreed to pay a $2.5M fine and leave the state as part of a settlement of a federal lawsuit brought by state Attorney General Lori Swanson. As for North Memorial, the investigation further determined that it failed to complete a risk analysis to address all of the potential risks and vulnerabilities to the ePHI that it maintained, accessed, or transmitted. The scope of the risk analysis must be across its entire IT infrastructure. In addition to the $1.55M fine, North Memorial is required to develop an organization-wide risk analysis and risk management plan. More information can be found on the HHS website.
About North Memorial Health Care of Minnesota North Memorial is a comprehensive, not-for-profit health care system in Minnesota that serves the Twin Cities and surrounding communities.
SEE ALSO: Free Disk Encryption for Mac OS