Seven-Figure Settlement Reinforces Necessity of Business Associate Agreements
On March 16, 2016, the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”) announced that North Memorial Health Care of Minnesota (“Memorial”) agreed to pay $1.55 million to resolve allegations that it violated the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The Memorial settlement emphasizes the necessity of (and potential exposure for) covered entities and business associates executing a HIPAA-compliant business associate agreement (“BAA”) in each situation where a BAA is required.
Memorial is a Minnesota not-for-profit health system. OCR’s investigation of Memorial began after Memorial reported a HIPAA breach in September 2011. According to OCR’s press release announcing the Memorial settlement, Memorial’s breach report indicated that an unencrypted, password-protected laptop was stolen from the car of an Accretive Health (“Accretive”) workforce member. The laptop contained the electronic protected health information (“ePHI”) of 9,497 individuals.
Accretive was a business associate of Memorial that, according to the OCR press release, performed certain payment and health care operations on behalf of Memorial. According to the OCR press release, Accretive had access to Memorial’s database that stored the ePHI of 289,904 patients and to other Memorial PHI that was not ePHI.
Following OCR’s investigation of Memorial’s HIPAA breach report, OCR alleged Memorial: (1) did not have a BAA in place with Accretive, as required by HIPAA; and (2) failed to complete a risk analysis to address all of the potential risks and vulnerabilities to the ePHI across its IT infrastructure.
Memorial and OCR entered into a Resolution Agreement and comprehensive Corrective Action Plan to resolve the allegations. In addition to the substantial payment, Memorial agreed to do the following as part of the Corrective Action Plan:
- Develop and submit to OCR policies and procedures related to implementing BAAs;
- Submit to OCR an updated and comprehensive risk analysis;
- Develop a risk management plan to address any security risks and vulnerabilities identified in the risk assessment;
- Prepare and submit to OCR training materials related to the new policies and procedures. Once the training materials are approved by OCR, Memorial agreed to provide training to all appropriate workforce members and thereafter provide annual re-training; and
- Provide an annual report to OCR with respect to Memorial’s compliance with the Corrective Action Plan for the term of the Corrective Action Plan.
As part of a thorough and substantive HIPAA compliance program, covered entities should have policies and procedures in place to: (1) identify when a BAA is required; and (2) ensure that a BAA is executed before business associate services commence. It is imperative that each executed BAA complies with HIPAA requirements.
OCR has been active with HIPAA enforcement activities and Saul Ewing continues to monitor these developments. Other Saul Ewing articles about OCR HIPAA resolutions may be found here:
Saul Ewing attorneys have extensive experience assisting covered entities and business associates with HIPAA Privacy Rule, Security Rule and Breach Notification Rule compliance. Saul Ewing’s attorneys routinely draft, analyze and negotiate BAAs, prepare HIPAA compliance protocols and assist covered entities and business associates with risk assessments. For more information on these matters, please contact the authors or the attorney at the firm with whom you are regularly in contact.