Blog

$1.55 million settlement underscores the importance of executing HIPAA business associate agreements

$1.55 million settlement underscores the importance of executing HIPAA business associate agreements

March 16, 2016

 

North Memorial Health Care of Minnesota has agreed to pay $1,550,000 to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to implement a business associate agreement with a major contractor and failing to institute an organization-wide risk analysis to address the risks and vulnerabilities to its patient information.  North Memorial is a comprehensive, not-for-profit health care system in Minnesota that serves the Twin Cities and surrounding communities.

 

“Two major cornerstones of the HIPAA Rules were overlooked by this entity,” said Jocelyn Samuels, Director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).  “Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”

 

OCR initiated its investigation of North Memorial following receipt of a breach report on September 27, 2011, which indicated that an unencrypted, password-protected laptop was stolen from a business associate’s workforce member’s locked vehicle, impacting the electronic protected health information (ePHI) of 9,497 individuals.

 

OCR’s investigation indicated that North Memorial failed to have in place a business associate agreement, as required under the HIPAA Privacy and Security Rules, so that its business associate could perform certain payment and health care operations activities on its behalf.  North Memorial gave its business associate, Accretive, access to North Memorial’s hospital database, which stored the ePHI of 289,904 patients.  Accretive also received access to non-electronic protected health information as it performed services on-site at North Memorial.

 

The investigation further determined that North Memorial failed to complete a risk analysis to address all of the potential risks and vulnerabilities to the ePHI that it maintained, accessed, or transmitted across its entire IT infrastructure — including but not limited to all applications, software, databases, servers, workstations, mobile devices and electronic media, network administration and security devices, and associated business processes.

 

In addition to the $1,550,000 payment, North Memorial is required to develop an organization-wide risk analysis and risk management plan, as required under the Security Rule.  North Memorial will also train appropriate workforce members on all policies and procedures newly developed or revised pursuant to this corrective action plan.

 

The Resolution Agreement and Corrective Action Plan can be found on the HHS website at: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/north-memorial-health-care/index.html.

 

HHS offers model business associate agreement language at:  http://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html as well as guidance on conducting a HIPAA Risk Analysis:  http://www.healthit.gov/providers-professionals/security-risk-assessment.

 

To learn more about non-discrimination and health information privacy laws, your civil rights, and privacy rights in health care and human service settings, and to find information on filing a complaint, visit us at www.hhs.gov/ocr.

 

Follow OCR on Twitter at http://twitter.com/HHSOCR.

Continue reading
698 Hits

TX House Bill 300: Everything Is Bigger In Texas!

ed on: December 1st, 2015 by Mike

TX HB 300 fines

 

 

 

 

Organizations in Texas that create, store, handle, transmit or have access to protected health information (PHI) need to be informed of TX House Bill 300.

Fewer things are as personal, private or important as medical records. Texas lawmakers were serious about protecting sensitive information when they passed TX H.B 300 in 2011. Lawmakers were concerned that the federal HIPAA did not go far enough to safeguard PHI in Texas. TX H.B 300 went into effect on September 1, 2012.

The Health Insurance Portability and Accountability Act (HIPAA) was created to safeguard PHI. Covered entities and business associates that handle PHI are required by law to follow federal HIPAA regulations. If privacy and security rules are violated then the covered entity and/or business associate may be penalized. Depending on the violation, fines could be quite substantial.

Texas H.B. 300 goes above and beyond federal HIPAA regulations to keep PHI secure. This law serves to increase the number of covered entities that are required to be HIPAA compliant, expand compliance guidelines, and enhance enforcement for TX entities that are non-compliant. As the saying goes, everything is bigger in Texas. If a TX organization is found to be non-compliant with HIPAA guidelines it could also be fined for TX H.B. 300 violations.

Continue reading
1171 Hits

Blog Archive

February
March
April
May
June
July
August
September
October
November
December
January
March
April
May
July
August
September
October
January
February
April
August
September
October
November
December
January
February
March
April
May
June
July
August
September
October
November

Get a 10% Discount in Your Inbox

Where to find us?

Address
Compliance Learning Solutions, LLC
395 Sawdust Road, Suite 2136
The Woodlands, Texas 77380-2299
Phone Number
1-888-447-5517
Email
contactus@complyls.com