- North Memorial Health Care of Minnesota will pay approximately $1.5 million in HIPAA settlement fines after it failed to identify its business associates, the Department of Health and Human Services (HHS) reports.
Healthcare business associates are organizations that work on behalf of, or for, a covered entity. Healthcare organizations that list business associates need to make sure these deals are explicitly signed in order to make sure that the business associate will adequately safeguard any PHI or other health information they obtain.
In the case of North Memorial, the hospital failed to identify Accretive Health, Inc. as a business associate. The parameters of the relationship between the two organizations caused Accretive to gain access to North Memorial’s databases, which contained PHI.
This caused some trouble when an Accretive employee had a laptop stolen, disclosing PHI for thousands of North Memorial clients. The hospital first notified HHS of the incident on September 27, 2011, and told the agency that the breach had been discovered on July 25, 2011. Originally, the hospital told HHS that the laptop contained PHI for 2,800 patients, but that number was later revised to add an additional 6,697 patients.
Although North Memorial reported to HHS that Accretive was one of its business associates, the department learned upon further investigation that for a period of time there was no signed agreement between the two entities.
Signed business associate agreements are important because they demonstrate a promise that the business associate will take appropriate healthcare data security measures.
According to HHS’s findings, North Memorial started sending Accretive PHI on March 21, 2011, but that the two had not entered into a written agreement until October 14, 2011. This amounts to over a six month period during which PHI was transferred between the two entities without a proper business associate agreement.
As a result, North Memorial has been charged with paying HHS $1,550,000 in HIPAA settlements.
Additionally, the healthcare organization must adhere to a corrective action plan. This action plan calls for North Memorial to develop business associate policies and procedures, modify their existing risk analysis procedures, development internal risk management plans, and undergo training.
This case is an example of how important it is that covered entities clearly elucidate their business associate agreements. By entering into a written contract that guarantees a business associate’s HIPAA compliance, a healthcare organization ensures that PHI will be adequately safeguarded.
Likewise, these agreements ensure that in the unfortunate event of a healthcare data breach, business associates will be held responsible for federal regulatory actions.
Business associate agreements need to fully address the acceptable uses and disclosures for PHI on the part of the business associate. This makes clear that business associates are only allowed to disclose PHI to specifically identified entities or individuals, and holds them liable to HIPAA regulations of they do not adhere to these rules.
Business associate agreements also address the fact that these provisions apply to all subcontractors with whom the business associate may be working.
These agreements also should include the expectations for PHI safeguards that the covered entity has for the business associate, and should specify that at the end of the relationship, the business associate must return all PHI back to the covered entity.