Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Million Settlement

Mar 18, 2016
  • Health Care
  • White Collar Crime

Yesterday the U.S. Department of Health & Human Services (“HHS”) Office for Civil Rights (“OCR”) announced that North Memorial Health System of Minnesota (“North Memorial”) agreed to pay $1.5 million to settle charges that it potentially violated HIPAA Privacy and Security Rules by improperly disclosing PHI on nearly 300,000 patients during a five month period in 2011.

North Memorial reported on September 27, 2011, that an unencrypted laptop that contained electronic PHI of 6,697 patients was stolen on July 25, 2011, from an employee’s locked vehicle. North Memorial disclosed additional violations during the course of the OCR investigation.  Specifically, North Memorial disclosed that the company did not have a written business associate agreement (“BAA”) with its third party billing company, Accretive, from March 21, 2011 to October 14, 2011 when a written BAA was provided, resulting in the improper disclosure of PHI of at least 289,904 individuals.

HIPAA Privacy and Security Rules mandate that organizations must have in place a BAA with any company that has access to PHI, both non-electronic and electronic.  OCR’s investigation indicated that North Memorial gave Accretive access to its hospital database and also access to non-electronic PHI when services were performed on-site.

HIPAA Privacy and Security Rules require a thorough and complete risk analysis to identify potential vulnerabilities and address potential risks.  OCR determined that North Memorial failed to complete a risk analysis that addressed vulnerabilities and risks to electronic PHI across its entire IT infrastructure that included all applications, software, databases, servers, workstations, mobile devices and electronic media, network administration and security devices, and associated business processes, such as those that allowed an employee to have an unencrypted laptop off-site.

“Two major cornerstones of the HIPAA Rules were overlooked by this entity,” said Jocelyn Samuels, Director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). “Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”

In addition to the $1,550,000 payment, under the resolution agreement, North Memorial is required to develop a robust, organization-wide risk analysis and risk management plan.  North Memorial has agreed to complete this plan within 180 days and will include an inventory of all equipment that stores PHI.  North Memorial will also train appropriate workforce members on all policies and procedures newly developed or revised pursuant to this corrective action plan.  Please click here to view the Resolution Agreement and Corrective Action Plan.

This settlement illustrates OCR’s heightened scrutiny of business associate agreements and third-party vendor relationships.  Last year OCR reached a $3.5 million settlement with Triple-S Management Corp for HIPAA violations that included not having BAAs with vendors.  A company’s PHI safeguards are only as strong as the safeguards of the vendors with whom the company does business.  Covered entities must exercise due diligence in the selection of third-party vendors, review the vendor’s cyber security and data breach plans, ensure that BAAs are in place and are being followed, review contractual obligations, and require audits of PHI safeguards.  Failure to do so not only places personal health information at risk, but can also be very costly for companies who are found to be in breach of their duties.

For further information on the subject matter of this alert, please contact the following FisherBroyles attorneys:

Brian E. Dickerson
[email protected]

Nicole Hughes Waid
[email protected]

Anthony J. Calamunci
[email protected]

About FisherBroyles, LLP

Founded in 2002, FisherBroyles, LLP is the first and world’s largest distributed law firm partnership. The Next Generation Law Firm® has grown to hundreds of partners practicing in 23 markets globally. The FisherBroyles’ efficient and cost-effective Law Firm 2.0® model leverages talent and technology instead of unnecessary overhead that does not add value to our clients, all without sacrificing BigLaw quality. Visit our website at to learn more about our firm’s unique approach and how we can best meet your legal needs.

These materials have been prepared for informational purposes only, are not legal advice, and under rules applicable to the professional conduct of attorneys in various jurisdictions may be considered advertising materials. This information is not intended to create an attorney-client or similar relationship. Whether you need legal services and which lawyer you select are important decisions that should not be based on these materials alone.

© 2021 FisherBroyles LLP