The HHS Office for Civil Rights has again imposed a heavy monetary fine and acceptance of a resolution agreement and corrective action plan on a provider organization following two substantial violations of the HIPAA privacy and security rules.

About 30 organizations now have agreed to such sanctions after OCR determined they were essentially ignoring HIPAA.

In the latest agreement, an unencrypted laptop at two-hospital North Memorial Health Care of Minnesota serving the Twin Cities region, was stolen in July 2011 from a business associate employee’s vehicle, putting protected health information at risk for 9,497 individuals, according to OCR. The provider paid a settlement fine of $1,550,000.

An investigation of the breach found that North Memorial did not comply with two core pieces of HIPAA that OCR focuses on: Having business associate agreements in place and completing a risk analysis addressing all potential risks and vulnerabilities to electronic protected health information. "Organizations must have in place compliant business associate agreements, as well as an accurate and thorough risk analysis that addresses their enteprisewide IT infrastructure," says Jocelyn Samuels, Director of OCR.

OCR Director Jocelyn Samuels
OCR Director Jocelyn Samuels HHS Office for Civil Rights

“North Memorial provided Accretive, a business associate, with access to North Memorial’s protected health information without obtaining satisfactory assurance from Accretive, in the form of a written business associate agreement, that Accretive would appropriately safeguard the PHI,” according to the resolution agreement. “North Memorial began providing Accretive with access to North Memorial’s PHI on March 21, 2011, and did not enter into a written business associate agreement with Accretive until October 14, 2011.”

Also See: Judge upholds OCR’s authority to enforce HIPAA

Because there was not a BAA, North Memorial disclosed PHI from at least 289,904 individuals during that time span, according to the resolution agreement.

Under the corrective action plan, North Memorial will develop policies and procedures for establishing business associate agreements, complete an updated and comprehensive risk analysis, develop an organization-wide risk management plan and develop employee training materials.

North Memorial in response to a request issued the following statement to HDM:

“The privacy of our customers’ health information is a top priority at North Memorial Health Care. We hold all of our team members to the highest standard when it comes to dealing with information involving our customers. It is unfortunate that one of our vendors failed to meet that expectation in 2011. We no longer have a relationship with this vendor. There has never been any indication that any of the information on the vendor’s laptop was ever accessed or used inappropriately.

 “Since this incident five years ago, we have revised our security risk analysis and further strengthened our processes. In addition, North Memorial Health Care continues to provide ongoing training in privacy and security, including HIPAA education.”

The resolution agreement and corrective action plan are available here.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access