OCR Levies fine for lack of business associate agreements
$1.55 million settlement and remediation
What triggered the investigation that led to the $1.55 million settlement? There was a breach report filed on Sep. 27, 2011 regarding an unencrypted, password-protected laptop belonging to a BA. Make a note, it was NOT encrypted. You might argue, encryption is NOT required by the OCR for HIPAA compliance. Correct, but you must "address" how you will protect the PHI if it is NOT encrypted. A weak password does not protect PHI.
The OCR's investigation found that North Memorial did not have business associate agreements in place with vendors that were processing PHI.
On top of the $1.55 million fine, North Memorial must perform a risk assessment, implement a risk management plan and train its workforce with the appropriate training.
Seems like it would be cheaper to be proactive vs. paying a fine and still having to do what is required. Take a free HIPAA Quick Check Risk Assessment (http://hipaa-quickcheck.com/) to see how HIPAA compliant you are.