OCR Announces $1.55 Million Settlement Based on Failure to Have a Business Associate Agreement in Place and Conduct an Organization-Wide Risk Analysis

The Office for Civil Rights (OCR) announced on March 16, 2016, that North Memorial Health Care of Minnesota agreed to pay $1,550,000 to settle allegations that it violated the HIPAA Privacy and Security Rules by failing to implement a Business Associate Agreement with a major contractor and failing to institute an organization-wide risk analysis to address the risks and vulnerabilities to its patient information. The OCR initiated an investigation of North Memorial following receipt of a breach report that an unencrypted, password-protected laptop was stolen from a business associate’s workforce member’s locked vehicle, impacting the electronic protected health information (ePHI) of 9,497 individuals.

The OCR discovered that North Memorial did not have in place a business associate agreement with this business associate, Accreative. North Memorial had given Accreative access to North Memorial’s hospital database, which stored the ePHI of 289,904 patients. Accreative also received access to non-electronic protected health information as it performs services on site at North Memorial.

The OCR investigation also determined that North Memorial failed to complete a risk analysis to address to all of the potential risks and vulnerabilities to the ePHI that it maintained, accessed, or transmitted across its entire IT infrastructure – including all applications, software, databases, servers, work stations, mobile devices and electronic media, network administration and security devices and associated business processes.

A copy of the OCR press release on the settlement is available in the News Releases section of http://www.hhs.gov.

Written by: Clay J. Countryman

Countryman, Clay headshot