$1.55 million settlement and remediation
According to the HHS Office of Civil Rights, North Memorial Health Care of Minnesota failed to complete a security risk assessment or risk analysis nor did it have compliant business associate agreements. The OCR considers these major cornerstones of HIPAA compliance. The important thing to understand about the security risk analysis is that it now focuses on IT infrastructure. Which means you must make sure you perform several key steps in the risk assessment or it’s not a valid or credible risk assessment. The Business Associate agreements are now a requirement of HIPAA compliance. A covered entity must have signed business associate agreements for all entities that may have access to PHI or ePHI.
What triggered the investigation that led to the $1.55 million settlement? There was a breach report filed on Sep. 27, 2011 regarding an unencrypted, password-protected laptop belonging to a BA. Make a note, it was NOT encrypted. You might argue, encryption is NOT required by the OCR for HIPAA compliance. Correct, but you must “address” how you will protect the PHI if it is NOT encrypted. A weak password does not protect PHI.
The OCR’s investigation found that North Memorial did not have business associate agreements in place with vendors that were processing PHI.
On top of the $1.55 million fine, North Memorial must perform a risk assessment, implement a risk management plan and train its workforce with the appropriate training.
Seems like it would be cheaper to be proactive vs. paying a fine and still having to do what is required. Take a free HIPAA Quick Check Risk Assessment to see how HIPAA compliant you are.
