Featured Health Business Daily Story, April 14, 2016
Reprinted from REPORT ON PATIENT PRIVACY, the industry's #1 source of timely news and business strategies for safeguarding patient privacy and data security.
So far this year, the HHS Office for Civil Rights (OCR) has announced four enforcement actions resolving allegations of HIPAA violations, with two coming the same week; both involved the theft of an unencrypted laptop.
On March 16, OCR announced a $1.55 million settlement with North Memorial Health Care of Minnesota that was triggered by a laptop that was stolen in July 2011. The twist in this case is that a business associate (BA) of the health system lost the device, but it is North Memorial that is the subject of the enforcement action. The laptop was in the locked trunk of a vehicle owned by a member of Accretive Health, a quality assessment and collection agency.
As with other agreements with OCR, this settlement also includes a corrective action plan, which lasts for two years from when the agency “approves the last of the policies and procedures, risk analysis, and risk management plan” submitted by North Memorial.
The settlement comes four years after the Minnesota attorney general sued Accretive itself for the same incident, alleging violations of HIPAA and state law. To settle that case, Accretive paid $2.5 million and agreed not to do business in the state for six years (RPP 8/12, p. 1).
Accretive was also working for North Memorial’s neighbor, Fairview Health, which notified 14,000 patients whose data were on the laptop. OCR has not announced any actions against Fairview and it is not known whether they also were the subject of an OCR investigation. OCR frequently requires corrective actions of errant CEs that are not made public.
OCR did not pursue actions against Accretive because, at the time of the incident, the final rule holding business associates to HIPAA standards was not yet in effect (RPP 5/11, p. 1).
However, there was a way to hold North Memorial accountable. According to the OCR settlement, North Memorial did not have a BA agreement (BAA) with Accretive until three months after the laptop was stolen, even though it began giving Accretive access to its protected health information (PHI) in March 2011. The lost laptop contained PHI for approximately 9,500 patients from North Memorial.
Lacking this BAA meant that North Memorial “impermissibly disclosed the PHI of at least 289,904 individuals,” according to OCR.
In addition, OCR contended that North Memorial “failed to complete a risk analysis to address all of the potential risks and vulnerabilities to the ePHI that it maintained, accessed, or transmitted across its entire IT infrastructure — including but not limited to all applications, software, databases, servers, workstations, mobile devices and electronic media, network administration and security devices, and associated business processes.”
North Memorial officials declined to discuss the specifics of the settlement with RPP, but issued this statement: “The privacy of our customers’ health information is a top priority at North Memorial Health Care. We hold all of our team members to the highest standard when it comes to dealing with information involving our customers. It is unfortunate that one of our vendors failed to meet that expectation in 2011. We no longer have a relationship with this vendor. There has never been any indication that any of the information on the vendor’s laptop was ever accessed or used inappropriately.”
North Memorial also detailed changes it had made. “Since this incident five years ago, we have revised our security risk analysis and further strengthened our processes,” the statement continued. “In addition, North Memorial Health Care continues to provide ongoing training in privacy and security,” including HIPAA education.
The day after the North Memorial settlement was announced, OCR issued news of a record settlement to a single organization. The Feinstein Institute for Medical Research agreed to pay $3.9 million and follow a three-year corrective action plan (see story, p. 1). This settlement was also triggered by a stolen laptop.
The first two settlements of the year were announced in February. OCR signed a $25,000 agreement with a physical therapy provider in California for using patient testimonials without appropriate authorizations (RPP 3/16, p. 1). In addition, an administrative law judge upheld a $239,800 fine against Lincare, Inc., a home health agency (RPP 2/16, p. 3).
© 2016 by Atlantic Information Services, Inc. All Rights Reserved.
At The AIS Marketplace: How to Comply With HIPAA/HITECH Rules, authoritative guidance on the multitude of rules HIPAA covered entities, business associates and subcontractors must comply with … and the ways in which the risks and relationships among these three types of HIPAA entities have changed. Click here for more information and to order today.
Check out all of the benefits, sample issues & more!