North Memorial Health Care of Minnesota, a nonprofit medical facility in Robbinsdale, has agreed to pay the Department of Health and Human Services (HHS) $1.55 million for violating the Health Insurance Portability and Accountability Act (HIPAA) of 1996.
According to the agreement, the Office for Civil Rights (OCR) had alleged North Memorial Health Care of Minnesota of violating the Privacy and Security Rules by failing to create the necessary Business Associates Agreement (BAA) with a sub-contractor, as well as failing to conduct a risk analysis of its organization to identify potential risks and vulnerabilities to patient information.
The OCR began its investigation of North Memorial Health Care of Minnesota on September 27, 2011. Investigators determined that the facility had lost an unencrypted laptop on which Electronic Protected Health Information (EPHI) was stored. The laptop was believed to have been stolen from a business associate's locked vehicle, resulting in the potential disclosure of some 9,497 patients.
As a result of this incident, OCR investigators claimed that North Memorial violated HIPAA by failing to have a BAA in place, which is a requirement under the HIPAA Privacy and Security Rule. The healthcare facility had gave its business associate access to its hospital database containing the records of 289,904 patients. Furthermore, investigators found that North Memorial failed to conduct regular risk analyses to identify potential risks and vulnerabilities of the EPHI that it maintained.
“Two major cornerstones of the HIPAA Rules were overlooked by this entity,” said OCR Director Jocelyn Samuels in a statement. “Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”
North Memorial Health Care of Minnesota has agreed to pay $1.55 million to settle allegations of HIPAA violations. In addition to this fine, the facility must also develop a risk analysis and risk management plan, as well as train its workforce on policies and procedures associated with the plan.
This case reinforces the importance of maintaining compliance with HIPAA. Whether you are a doctor, chiropractor, dentist or any other covered entity, you need to familiarize yourself with the nuances of HIPAA. Failure to do so could result in hefty fines exceeding $1 million, such as the case of North Memorial.
You can access the Resolution Agreement involving North Memorial Health Care of Minnesota by clicking here.