It has been a frequent message that the Office for Civil Rights (“OCR”) at the federal Department of Health and Human Services (“HHS”) has been providing numerous HIPAA lessons over the past few years through settlement announcements. The most recent lesson was released on March 16th. This time, North Memorial Health Care of Minnesota (“NMHC”) did not have a business associate agreement with a major service provider, nor had it conducted the required risk analysis under the Security Rule. NMHC’s violations netted it a $1.55 million fine and a Corrective Action Plan.
As laid out in the Resolution Agreement between NMHC and HHS, the problems first arose when NMHC self-reported that an unencrypted laptop containing information relating to about 2,800 patients was stolen from the locked car of an Accretive Health (“Accretive”) employee’s car. Accretive was NMHC’s business associate. The report, as is usual, lead to an investigation by OCR. In its investigation, OCR determined that NMHC began working with Accretive on March 21, 2001, but did not enter into a written business associate agreement (“BAA”) until October 14, 2011. Despite the lack of a BAA, NMHC afforded Accretive substantial access to protected health information during the seven month gap. Further, in what is a common occurrence during an OCR investigation, it was determined that NMHC did not conduct a thorough risk analysis.
The confluence of all of these factors forms the basis for NMHC’s $1.55 million fine. While it is still not easy to determine how the fine was calculated, the announcement is yet another clear shot across the bow for healthcare organizations. Do not take chances, focus on all aspects of HIPAA compliance.
Interestingly, this settlement is the first one to address the requirement of needing a business associate agreement. As set forth in the HIPAA regulations, covered entities must obtain reasonable assurances from each business associate that the business associate will appropriately safeguard protected health information. Such assurances are done in the form of a BAA. It is the covered entity’s obligation to put a BAA into place, which explains why NMHC had to face the music at this time.
However, the question often arises what should happen if the covered entity and business associate cannot agree on the terms of a BAA? Arguably, this should never occur because the HIPAA regulations set out required elements that must be in a BAA. OCR even has model BAAs that entities can use. Despite the requirements under the regulations, parties frequently want to insert additional provisions that can cause disputes. If those additional provisions complicate reaching a final agreement, it is likely incumbent upon the covered entity to not share any information until the BAA is in place. As the NMHC settlement demonstrates, too much is riding on the outcome.
Lastly, the NMHC settlement is yet another reminder to double-check operations and ensure that all required BAAs are in place. Do not trust memory or operations, review and locate copies of contracts. Without clear evidence that the BAA exists, it is a safe bet that it will be presumed to be missing. Do not become the next organization to join the OCR settlement list.