$1.55 Million Settlement Underscores the Importance of HIPAA Business Associate Agreements

A stolen computer led to the North Memorial Health Care of Minnesota paying $1.55 million for a potential violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.

North Memorial Hospital was charged with two HIPAA Privacy and Security Rule violations subsequent to an U.S. Department of Health and Human Services Office of Civil Rights (OCR) investigation. The investigation was initiated after a laptop was stolen from a North Memorial Hospital employee's car.

Specifically, OCR alleged that North Memorial did not having a business associate agreement in place, and was not performing due diligence on risk analysis as required in HIPAA's Privacy and Security Rules.

In particular, OCR alleged that North Memorial did not have the proper agreements in place to let a third party handle payment and health care operations, and North Memorial allowed Accretive Health Inc. - a hospital debt collection company - to access North Memorial's hospital database. Accretive had access to electronic protected health information (ePHI) of 9,497 patients, as well as access to hard copies of protected health information.

Jocelyn Samuels, HHS's OCR director, said North Memorial did not meet two basic requirements of HIPAA. First, North Memorial did not have a business associate agreement in place with Accretive, and second, North Memorial did not have "an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure" as required by HIPAA.

The official announcement from HHS states, "The investigation further determined that North Memorial failed to complete a risk analysis to address all of the potential risks and vulnerabilities to the ePHI that it maintained, accessed, or transmitted across its entire IT infrastructure - including but not limited to all applications, software, databases, servers, workstations, mobile devices and electronic media, network administration and security devices, and associated business processes."

In addition to the payout, North Memorial has to develop a risk analysis and management plan that meets the requirements of HIPAA's security rules. North Memorial must also train its employees to use and follow the new plan.

Under the agreement, North Memorial and OCR stipulated that North Memorial did not commit any wrongdoing. The full resolution agreement may be read here.

How to Stay Compliant

To avoid a similar outcome from happening to you or your healthcare company, HHS offers a sample Business Associate Agreement, as well as a Risk Assessment guide. Sample business associate agreement here. Here is a risk assessment guide from HHS.

If you or your company are concerned about compliance, if you need assistance with compliance, or find yourself subject to an OCR audit, contact the Medicaid team at Levy Pruett Cullen today.

With two decades of experience defending practitioners and healthcare providers from allegations of Medicare and Medicaid fraud (linked to page), improper coding or billing, accepting kickbacks, false medical claims, overbilling, improper coding practices, unnecessary medical treatment, altered documents, Department of Audits and Accounts (DOAA) recoupment, improper insurance collections and duplicate billings, or Prescription Drug Crimes, Levy Pruett Cullen is a law firm uniquely tailored to your needs.