Steep Price Tag for Not Entering a Business Associate Agreement

North Memorial Health Care of Minnesota (“North Memorial”) recently agreed to settle charges that it violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by essentially failing to enter into a Business Associate Agreement. Pursuant to the settlement, North Memorial agreed to pay $1,550,000. This settlement is a reminder of the importance of executing business associate agreements before sharing protected health information.

The U.S. Department of Health and Human Services Office of Civil Rights (“OCR”) initiated an investigation of North Memorial following their receipt of a breach report. The report indicated that a password protected laptop had been stolen from a locked vehicle belonging to an employee of North Memorial’s business associate, Accretive Health, Inc. (“Accretive”). The laptop contained electronic protected health information on 9,497 individuals.

OCR’s investigation revealed that North Memorial failed to enter into a business associate agreement with Accretive. Pursuant to the HIPAA Privacy and Security Rules, covered entities are required to enter into business associate agreements with all business associates to whom they provide protected health information. The investigation further revealed that North Memorial failed to complete a risk analysis for the electronic protected health information that it maintained, accessed, and transmitted across its IT infrastructure. Such an analysis, may have revealed the vulnerability posed by permitting protected health information to be stored on an unencrypted laptop.

Takeaways from this settlement:

  • Do not share protected health information with business associates without a valid business associate agreement in place. A valid business associate agreement almost certainly would have reduced North Memorial’s liability in this case.
  • Covered entities and business associates should perform HIPAA security risk analyses as required under the HIPAA Privacy and Security rules. Such analyses may uncover vulnerabilities that can be easily addressed.
  • Electronic Protected Health Information should be safeguarded with encryption technology. A high percentage of all breaches stem from lost or stolen portable devices. Encryption provides strong protection to covered entities and business associates in the case of a breach.