Final HIPAA Lessons

A3224252It has been a frequent message that the Office for Civil Rights (“OCR”) at the federal Department of Health and Human Services (“HHS”) has been providing numerous HIPAA lessons over the past few years through settlement announcements. The most recent lesson was released on March 16th. This time, North Memorial Health Care of Minnesota (“NMHC”) did not have a business associate agreement with a major service provider, nor had it conducted the required risk analysis under the Security Rule. NMHC’s violations netted it a $1.55 million fine and a Corrective Action Plan.

As laid out in the Resolution Agreement between NMHC and HHS, the problems first arose when NMHC self-reported that an unencrypted laptop containing information relating to about 2,800 patients was stolen from the locked car of an Accretive Health (“Accretive”) employee’s car. Accretive was NMHC’s business associate. The report, as is usual, lead to an investigation by OCR. In its investigation, OCR determined that NMHC began working with Accretive on March 21, 2001, but did not enter into a written business associate agreement (“BAA”) until October 14, 2011. Despite the lack of a BAA, NMHC afforded Accretive substantial access to protected health information during the seven month gap. Further, in what is a common occurrence during an OCR investigation, it was determined that NMHC did not conduct a thorough risk analysis.

The confluence of all of these factors forms the basis for NMHC’s $1.55 million fine. While it is still not easy to determine how the fine was calculated, the announcement is yet another clear shot across the bow for healthcare organizations. Do not take chances, focus on all aspects of HIPAA compliance.

Interestingly, this settlement is the first one to address the requirement of needing a business associate agreement. As set forth in the HIPAA regulations, covered entities must obtain reasonable assurances from each business associate that the business associate will appropriately safeguard protected health information. Such assurances are done in the form of a BAA. It is the covered entity’s obligation to put a BAA into place, which explains why NMHC had to face the music at this time.

However, the question often arises what should happen if the covered entity and business associate cannot agree on the terms of a BAA? Arguably, this should never occur because the HIPAA regulations set out required elements that must be in a BAA. OCR even has model BAAs that entities can use. Despite the requirements under the regulations, parties frequently want to insert additional provisions that can cause disputes. If those additional provisions complicate reaching a final agreement, it is likely incumbent upon the covered entity to not share any information until the BAA is in place. As the NMHC settlement demonstrates, too much is riding on the outcome.

Lastly, the NMHC settlement is yet another reminder to double-check operations and ensure that all required BAAs are in place. Do not trust memory or operations, review and locate copies of contracts. Without clear evidence that the BAA exists, it is a safe bet that it will be presumed to be missing. Do not become the next organization to join the OCR settlement list.

Advertisements

About Matt Fisher

Matt is the chair of Mirick O'Connell's Health Law Group and a partner in the firm's Business Group. Matt focuses his practice on health law and all areas of corporate transactions. Matt's health law practice includes advising clients with regulatory, fraud, abuse, and compliance issues. With regard to regulatory matters, Matt advises clients to ensure that contracts, agreements and other business arrangements meet both federal and state statutory and regulatory requirements. Matt's regulatory advice focuses on complying with requirements of the Stark Law, Anti-Kickback Statute, fraud and abuse regulations, licensing requirements and HIPAA. Matt also advises clients on compliance policies to develop appropriate monitoring and oversight of operations.
This entry was posted in Compliance, HIPAA, Regulations and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s