SlideShare a Scribd company logo

Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Million Settlement

B
Brian Dickerson

Healthcare
1 of 2
Download to read offline
FISHERBROYLES.COM TH E NE X T GE NE R A T I O N LA W FI R M ® Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Million Settlement PRACTICE AREA / INDUSTRY: HEALTHCARE; WHITE COLLAR LITIGATION & GOVERNEMENT INVESTIGATIONS Brian E. Dickerson Anthony J. Calamunci brian.dickerson@fisherbroyles.com anthony.calamunci@fisherbroyles.com 202.570.0248 419.376.1776 Nicole Hughes Waid nicole.waid@fisherbroyles.com 202.906.9572 March 17, 2016 Yesterday the U.S. Department of Health & Human Services (“HHS”) Office for Civil Rights (“OCR”) announced that North Memorial Health System of Minnesota (“North Memorial”) agreed to pay $1.5 million to settle charges that it potentially violated HIPAA Privacy and Security Rules by improperly disclosing PHI on nearly 300,000 patients during a five month period in 2011. North Memorial reported on September 27, 2011, that an unencrypted laptop that contained electronic PHI of 6,697 patients was stolen on July 25, 2011, from an employee’s locked vehicle. North Memorial disclosed additional violations during the course of the OCR investigation. Specifically, North Memorial disclosed that the company did not have a written business associate agreement (“BAA”) with its third party billing company, Accretive, from March 21, 2011 to October 14, 2011 when a written BAA was provided, resulting in the improper disclosure of PHI of at least 289,904 individuals. HIPAA Privacy and Security Rules mandate that organizations must have in place a BAA with any company that has access to PHI, both non-electronic and electronic. OCR’s investigation indicated that North Memorial gave Accretive access to its hospital database and also access to non-electronic PHI when services were performed on-site.
FISHERBROYLES.COM TH E NE X T GE NE R A T I O N LA W FI R M ® HIPAA Privacy and Security Rules require a thorough and complete risk analysis to identify potential vulnerabilities and address potential risks. OCR determined that North Memorial failed to complete a risk analysis that addressed vulnerabilities and risks to electronic PHI across its entire IT infrastructure that included all applications, software, databases, servers, workstations, mobile devices and electronic media, network administration and security devices, and associated business processes, such as those that allowed an employee to have an unencrypted laptop off-site. “Two major cornerstones of the HIPAA Rules were overlooked by this entity,” said Jocelyn Samuels, Director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). “Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.” In addition to the $1,550,000 payment, under the resolution agreement, North Memorial is required to develop a robust, organization-wide risk analysis and risk management plan. North Memorial has agreed to complete this plan within 180 days and will include an inventory of all equipment that stores PHI. North Memorial will also train appropriate workforce members on all policies and procedures newly developed or revised pursuant to this corrective action plan. Please click here to view the Resolution Agreement and Corrective Action Plan. This settlement illustrates OCR’s heightened scrutiny of business associate agreements and third-party vendor relationships. Last year OCR reached a $3.5 million settlement with Triple-S Management Corp for HIPAA violations that included not having BAAs with vendors. A company’s PHI safeguards are only as strong as the safeguards of the vendors with whom the company does business. Covered entities must exercise due diligence in the selection of third-party vendors, review the vendor’s cyber security and data breach plans, ensure that BAAs are in place and are being followed, review contractual obligations, and require audits of PHI safeguards. Failure to do so not only places personal health information at risk, but can also be very costly for companies who are found to be in breach of their duties. For further information on the subject matter of this alert, please contact the following FisherBroyles attorneys: Brian E. Dickerson brian.dickerson@fisherbroyles.com 202.570.0248 Nicole Hughes Waid nicole.waid@fisherbroyles.com 202.906.9572 Anthony J. Calamunci anthony.calamunci@fisherbroyles.com 419.376.1776

Recommended

Mobile Privacy & Personal Health Information
Mobile Privacy & Personal Health InformationMobile Privacy & Personal Health Information
Mobile Privacy & Personal Health InformationSheree Martin
 
Hipaa and him security brunelle
Hipaa and him security brunelleHipaa and him security brunelle
Hipaa and him security brunellesjbusnpa
 
Your privacy online: Health information at serious risk of abuse, researchers...
Your privacy online: Health information at serious risk of abuse, researchers...Your privacy online: Health information at serious risk of abuse, researchers...
Your privacy online: Health information at serious risk of abuse, researchers...impartialnewsle68
 
Hipaa Goes Hitech
Hipaa Goes HitechHipaa Goes Hitech
Hipaa Goes HitechCandy Matheny
 
What is HIPAA Compliance?
What is HIPAA Compliance?What is HIPAA Compliance?
What is HIPAA Compliance?Power Admin LLC
 
Feds Launch Long-Awaited HIPAA Audits
Feds Launch Long-Awaited HIPAA AuditsFeds Launch Long-Awaited HIPAA Audits
Feds Launch Long-Awaited HIPAA AuditsBrian Dickerson
 
Protecting Patient Information - Feds Find Security Lapses in State and Local...
Protecting Patient Information - Feds Find Security Lapses in State and Local...Protecting Patient Information - Feds Find Security Lapses in State and Local...
Protecting Patient Information - Feds Find Security Lapses in State and Local...Patton Boggs LLP
 
MEDICAL ANSWERING SERVICE
MEDICAL ANSWERING SERVICE MEDICAL ANSWERING SERVICE
MEDICAL ANSWERING SERVICE Milk663
 

Recommended

Mobile Privacy & Personal Health Information
Mobile Privacy & Personal Health InformationMobile Privacy & Personal Health Information
Mobile Privacy & Personal Health InformationSheree Martin
 
Hipaa and him security brunelle
Hipaa and him security brunelleHipaa and him security brunelle
Hipaa and him security brunellesjbusnpa
 
Your privacy online: Health information at serious risk of abuse, researchers...
Your privacy online: Health information at serious risk of abuse, researchers...Your privacy online: Health information at serious risk of abuse, researchers...
Your privacy online: Health information at serious risk of abuse, researchers...impartialnewsle68
 
Hipaa Goes Hitech
Hipaa Goes HitechHipaa Goes Hitech
Hipaa Goes HitechCandy Matheny
 
What is HIPAA Compliance?
What is HIPAA Compliance?What is HIPAA Compliance?
What is HIPAA Compliance?Power Admin LLC
 
Feds Launch Long-Awaited HIPAA Audits
Feds Launch Long-Awaited HIPAA AuditsFeds Launch Long-Awaited HIPAA Audits
Feds Launch Long-Awaited HIPAA AuditsBrian Dickerson
 
Protecting Patient Information - Feds Find Security Lapses in State and Local...
Protecting Patient Information - Feds Find Security Lapses in State and Local...Protecting Patient Information - Feds Find Security Lapses in State and Local...
Protecting Patient Information - Feds Find Security Lapses in State and Local...Patton Boggs LLP
 
MEDICAL ANSWERING SERVICE
MEDICAL ANSWERING SERVICE MEDICAL ANSWERING SERVICE
MEDICAL ANSWERING SERVICE Milk663
 
HIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesHIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesRedspin, Inc.
 
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachRole-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachEMC
 
Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin, Inc.
 
Implications of hipaa non compliance
Implications of hipaa non complianceImplications of hipaa non compliance
Implications of hipaa non complianceAegify Inc.
 
US Data Privacy Laws
US Data Privacy LawsUS Data Privacy Laws
US Data Privacy LawsIDG Connect
 
Law_Firm_Info_Security_Report_June2011 (1)
Law_Firm_Info_Security_Report_June2011 (1)Law_Firm_Info_Security_Report_June2011 (1)
Law_Firm_Info_Security_Report_June2011 (1)Aspiration Software LLC
 
HITECH-Changes-to-HIPAA
HITECH-Changes-to-HIPAAHITECH-Changes-to-HIPAA
HITECH-Changes-to-HIPAAGurvinder Singh, CISSP, CISA, ITIL v3
 
The real reason why physicians must comply with HIPAA. What the government do...
The real reason why physicians must comply with HIPAA. What the government do...The real reason why physicians must comply with HIPAA. What the government do...
The real reason why physicians must comply with HIPAA. What the government do...CureMD
 
Ftc As Enforcer Proposed Data Breach Notification Rule For Personal Health R...
Ftc As Enforcer Proposed Data Breach Notification Rule For Personal Health R...Ftc As Enforcer Proposed Data Breach Notification Rule For Personal Health R...
Ftc As Enforcer Proposed Data Breach Notification Rule For Personal Health R...Davis Wright Tremaine LLP
 
Mha 690 presentation hippa
Mha 690 presentation hippaMha 690 presentation hippa
Mha 690 presentation hippabelle0508
 
Cost of Data Breah in Healthcare_Quinlan, Courtney
Cost of Data Breah in Healthcare_Quinlan, CourtneyCost of Data Breah in Healthcare_Quinlan, Courtney
Cost of Data Breah in Healthcare_Quinlan, Courtneycourtneyquinlan
 
Cybercrime and the Healthcare Industry
Cybercrime and the Healthcare IndustryCybercrime and the Healthcare Industry
Cybercrime and the Healthcare IndustryEMC
 
HIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule PlaybookHIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule PlaybookElizabeth Dimit
 
Privacy Do's and Don'ts for Customer Service Representatives
Privacy Do's and Don'ts for Customer Service RepresentativesPrivacy Do's and Don'ts for Customer Service Representatives
Privacy Do's and Don'ts for Customer Service RepresentativesArt Hall
 
MBM Achieving HIPAA Compliance Whitepaper
MBM Achieving HIPAA Compliance WhitepaperMBM Achieving HIPAA Compliance Whitepaper
MBM Achieving HIPAA Compliance WhitepaperMBMeHealthCareSolutions
 
Health Care Fraud Hurts!
Health Care Fraud Hurts!Health Care Fraud Hurts!
Health Care Fraud Hurts!urlstevens
 
HIPAA Privacy, Security, Breach Overview
HIPAA Privacy, Security, Breach OverviewHIPAA Privacy, Security, Breach Overview
HIPAA Privacy, Security, Breach OverviewHealthCare Too, LLC
 
MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matte...
MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matte...MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matte...
MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matte...Colin Zick
 
The New HIPAA Privacy Rule
The New HIPAA Privacy RuleThe New HIPAA Privacy Rule
The New HIPAA Privacy RuleMichael Witt
 
Sarah Kim HIPAA for Small Providers
Sarah Kim HIPAA for Small ProvidersSarah Kim HIPAA for Small Providers
Sarah Kim HIPAA for Small ProvidersSarah Kim
 
Hipaa for business associates simple
Hipaa for business associates simpleHipaa for business associates simple
Hipaa for business associates simpleJose Ivan Delgado, Ph.D.
 
HIPAA Part I the Law Test
HIPAA Part I the Law TestHIPAA Part I the Law Test
HIPAA Part I the Law TestSachiko Hurst
 

More Related Content

What's hot

HIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesHIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesRedspin, Inc.
 
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachRole-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachEMC
 
Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin, Inc.
 
Implications of hipaa non compliance
Implications of hipaa non complianceImplications of hipaa non compliance
Implications of hipaa non complianceAegify Inc.
 
US Data Privacy Laws
US Data Privacy LawsUS Data Privacy Laws
US Data Privacy LawsIDG Connect
 
Law_Firm_Info_Security_Report_June2011 (1)
Law_Firm_Info_Security_Report_June2011 (1)Law_Firm_Info_Security_Report_June2011 (1)
Law_Firm_Info_Security_Report_June2011 (1)Aspiration Software LLC
 
The real reason why physicians must comply with HIPAA. What the government do...
The real reason why physicians must comply with HIPAA. What the government do...The real reason why physicians must comply with HIPAA. What the government do...
The real reason why physicians must comply with HIPAA. What the government do...CureMD
 
Ftc As Enforcer Proposed Data Breach Notification Rule For Personal Health R...
Ftc As Enforcer Proposed Data Breach Notification Rule For Personal Health R...Ftc As Enforcer Proposed Data Breach Notification Rule For Personal Health R...
Ftc As Enforcer Proposed Data Breach Notification Rule For Personal Health R...Davis Wright Tremaine LLP
 
Mha 690 presentation hippa
Mha 690 presentation hippaMha 690 presentation hippa
Mha 690 presentation hippabelle0508
 
Cost of Data Breah in Healthcare_Quinlan, Courtney
Cost of Data Breah in Healthcare_Quinlan, CourtneyCost of Data Breah in Healthcare_Quinlan, Courtney
Cost of Data Breah in Healthcare_Quinlan, Courtneycourtneyquinlan
 
Cybercrime and the Healthcare Industry
Cybercrime and the Healthcare IndustryCybercrime and the Healthcare Industry
Cybercrime and the Healthcare IndustryEMC
 
HIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule PlaybookHIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule PlaybookElizabeth Dimit
 
Privacy Do's and Don'ts for Customer Service Representatives
Privacy Do's and Don'ts for Customer Service RepresentativesPrivacy Do's and Don'ts for Customer Service Representatives
Privacy Do's and Don'ts for Customer Service RepresentativesArt Hall
 
MBM Achieving HIPAA Compliance Whitepaper
MBM Achieving HIPAA Compliance WhitepaperMBM Achieving HIPAA Compliance Whitepaper
MBM Achieving HIPAA Compliance WhitepaperMBMeHealthCareSolutions
 
Health Care Fraud Hurts!
Health Care Fraud Hurts!Health Care Fraud Hurts!
Health Care Fraud Hurts!urlstevens
 
HIPAA Privacy, Security, Breach Overview
HIPAA Privacy, Security, Breach OverviewHIPAA Privacy, Security, Breach Overview
HIPAA Privacy, Security, Breach OverviewHealthCare Too, LLC
 
MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matte...
MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matte...MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matte...
MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matte...Colin Zick
 
The New HIPAA Privacy Rule
The New HIPAA Privacy RuleThe New HIPAA Privacy Rule
The New HIPAA Privacy RuleMichael Witt
 

What's hot (19)

HIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesHIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business Associates
 
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachRole-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
 
Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012
 
Implications of hipaa non compliance
Implications of hipaa non complianceImplications of hipaa non compliance
Implications of hipaa non compliance
 
US Data Privacy Laws
US Data Privacy LawsUS Data Privacy Laws
US Data Privacy Laws
 
Law_Firm_Info_Security_Report_June2011 (1)
Law_Firm_Info_Security_Report_June2011 (1)Law_Firm_Info_Security_Report_June2011 (1)
Law_Firm_Info_Security_Report_June2011 (1)
 
HITECH-Changes-to-HIPAA
HITECH-Changes-to-HIPAAHITECH-Changes-to-HIPAA
HITECH-Changes-to-HIPAA
 
The real reason why physicians must comply with HIPAA. What the government do...
The real reason why physicians must comply with HIPAA. What the government do...The real reason why physicians must comply with HIPAA. What the government do...
The real reason why physicians must comply with HIPAA. What the government do...
 
Ftc As Enforcer Proposed Data Breach Notification Rule For Personal Health R...
Ftc As Enforcer Proposed Data Breach Notification Rule For Personal Health R...Ftc As Enforcer Proposed Data Breach Notification Rule For Personal Health R...
Ftc As Enforcer Proposed Data Breach Notification Rule For Personal Health R...
 
Mha 690 presentation hippa
Mha 690 presentation hippaMha 690 presentation hippa
Mha 690 presentation hippa
 
Cost of Data Breah in Healthcare_Quinlan, Courtney
Cost of Data Breah in Healthcare_Quinlan, CourtneyCost of Data Breah in Healthcare_Quinlan, Courtney
Cost of Data Breah in Healthcare_Quinlan, Courtney
 
Cybercrime and the Healthcare Industry
Cybercrime and the Healthcare IndustryCybercrime and the Healthcare Industry
Cybercrime and the Healthcare Industry
 
HIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule PlaybookHIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule Playbook
 
Privacy Do's and Don'ts for Customer Service Representatives
Privacy Do's and Don'ts for Customer Service RepresentativesPrivacy Do's and Don'ts for Customer Service Representatives
Privacy Do's and Don'ts for Customer Service Representatives
 
MBM Achieving HIPAA Compliance Whitepaper
MBM Achieving HIPAA Compliance WhitepaperMBM Achieving HIPAA Compliance Whitepaper
MBM Achieving HIPAA Compliance Whitepaper
 
Health Care Fraud Hurts!
Health Care Fraud Hurts!Health Care Fraud Hurts!
Health Care Fraud Hurts!
 
HIPAA Privacy, Security, Breach Overview
HIPAA Privacy, Security, Breach OverviewHIPAA Privacy, Security, Breach Overview
HIPAA Privacy, Security, Breach Overview
 
MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matte...
MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matte...MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matte...
MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matte...
 
The New HIPAA Privacy Rule
The New HIPAA Privacy RuleThe New HIPAA Privacy Rule
The New HIPAA Privacy Rule
 

Similar to Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Million Settlement

Sarah Kim HIPAA for Small Providers
Sarah Kim HIPAA for Small ProvidersSarah Kim HIPAA for Small Providers
Sarah Kim HIPAA for Small ProvidersSarah Kim
 
HIPAA Part I the Law Test
HIPAA Part I the Law TestHIPAA Part I the Law Test
HIPAA Part I the Law TestSachiko Hurst
 
The Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceThe Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceJim Anfield
 
HIPAA Panel Discussion
HIPAA Panel Discussion HIPAA Panel Discussion
HIPAA Panel Discussion Dan Wellisch
 
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...Envision Technology Advisors
 
Hitech changes-to-hipaa
Hitech changes-to-hipaaHitech changes-to-hipaa
Hitech changes-to-hipaageeksikh
 
HIPAA and Privacy for Researchers
HIPAA and Privacy for ResearchersHIPAA and Privacy for Researchers
HIPAA and Privacy for ResearchersJason Karn
 
HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule
HIPAA/HITECH Requirements for FQHCs and the New Omnibus RuleHIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule
HIPAA/HITECH Requirements for FQHCs and the New Omnibus RuleMichigan Primary Care Association
 
Economic Stimulus Package V4
Economic Stimulus Package V4Economic Stimulus Package V4
Economic Stimulus Package V4bakerdb
 
Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Kimberly Simon MBA
 
Protecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH EraProtecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH EraRapid7
 
Chapter 14 Managing Projects 569 A Shaky Start for Healthcare.Gov CAS.pdf
Chapter 14 Managing Projects 569 A Shaky Start for Healthcare.Gov CAS.pdfChapter 14 Managing Projects 569 A Shaky Start for Healthcare.Gov CAS.pdf
Chapter 14 Managing Projects 569 A Shaky Start for Healthcare.Gov CAS.pdfprajeetjain
 
HIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to knowHIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to knowShred-it
 
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...Michigan Primary Care Association
 
HealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTHealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTKimberly Simon MBA
 
Hi paa and eh rs
Hi paa and eh rsHi paa and eh rs
Hi paa and eh rssupportc2go
 
Chapter 10 Privacy and Security of Health RecordsLearnin.docx
Chapter 10 Privacy and Security of Health RecordsLearnin.docxChapter 10 Privacy and Security of Health RecordsLearnin.docx
Chapter 10 Privacy and Security of Health RecordsLearnin.docxcravennichole326
 

Similar to Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Million Settlement (20)

Sarah Kim HIPAA for Small Providers
Sarah Kim HIPAA for Small ProvidersSarah Kim HIPAA for Small Providers
Sarah Kim HIPAA for Small Providers
 
Hipaa for business associates simple
Hipaa for business associates simpleHipaa for business associates simple
Hipaa for business associates simple
 
HIPAA Part I the Law Test
HIPAA Part I the Law TestHIPAA Part I the Law Test
HIPAA Part I the Law Test
 
The Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceThe Startup Path to HIPAA Compliance
The Startup Path to HIPAA Compliance
 
HIPAA Panel Discussion
HIPAA Panel Discussion HIPAA Panel Discussion
HIPAA Panel Discussion
 
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
 
WhitePaper- Archiving Supports HIPAA Compliance
WhitePaper- Archiving Supports HIPAA ComplianceWhitePaper- Archiving Supports HIPAA Compliance
WhitePaper- Archiving Supports HIPAA Compliance
 
Hitech changes-to-hipaa
Hitech changes-to-hipaaHitech changes-to-hipaa
Hitech changes-to-hipaa
 
HIPAA and Privacy for Researchers
HIPAA and Privacy for ResearchersHIPAA and Privacy for Researchers
HIPAA and Privacy for Researchers
 
HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule
HIPAA/HITECH Requirements for FQHCs and the New Omnibus RuleHIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule
HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule
 
Economic Stimulus Package V4
Economic Stimulus Package V4Economic Stimulus Package V4
Economic Stimulus Package V4
 
Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017
 
Protecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH EraProtecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH Era
 
Chapter 14 Managing Projects 569 A Shaky Start for Healthcare.Gov CAS.pdf
Chapter 14 Managing Projects 569 A Shaky Start for Healthcare.Gov CAS.pdfChapter 14 Managing Projects 569 A Shaky Start for Healthcare.Gov CAS.pdf
Chapter 14 Managing Projects 569 A Shaky Start for Healthcare.Gov CAS.pdf
 
HIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to knowHIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to know
 
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
 
HealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTHealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUST
 
Hipaa omnibus
Hipaa omnibusHipaa omnibus
Hipaa omnibus
 
Hi paa and eh rs
Hi paa and eh rsHi paa and eh rs
Hi paa and eh rs
 
Chapter 10 Privacy and Security of Health RecordsLearnin.docx
Chapter 10 Privacy and Security of Health RecordsLearnin.docxChapter 10 Privacy and Security of Health RecordsLearnin.docx
Chapter 10 Privacy and Security of Health RecordsLearnin.docx
 

More from Brian Dickerson

The New Overtime Regulations
The New Overtime RegulationsThe New Overtime Regulations
The New Overtime RegulationsBrian Dickerson
 
FisherBroyles Alert - Miami Pharmacies Charged with Submitting $26 Million in...
FisherBroyles Alert - Miami Pharmacies Charged with Submitting $26 Million in...FisherBroyles Alert - Miami Pharmacies Charged with Submitting $26 Million in...
FisherBroyles Alert - Miami Pharmacies Charged with Submitting $26 Million in...Brian Dickerson
 
FisherBroyles Client Alert - FDA Issues Draft Guidance for Compounding Operat...
FisherBroyles Client Alert - FDA Issues Draft Guidance for Compounding Operat...FisherBroyles Client Alert - FDA Issues Draft Guidance for Compounding Operat...
FisherBroyles Client Alert - FDA Issues Draft Guidance for Compounding Operat...Brian Dickerson
 
FCPA Self-Reporting Pilot Program: Motivation to Self-Report?
FCPA Self-Reporting Pilot Program: Motivation to Self-Report?FCPA Self-Reporting Pilot Program: Motivation to Self-Report?
FCPA Self-Reporting Pilot Program: Motivation to Self-Report?Brian Dickerson
 
Court Says NJ Took Too Long For Subpoenas In FCA Claim
Court Says NJ Took Too Long For Subpoenas In FCA ClaimCourt Says NJ Took Too Long For Subpoenas In FCA Claim
Court Says NJ Took Too Long For Subpoenas In FCA ClaimBrian Dickerson
 
HIPAA 2016 Audits Phase 2: Covered Entities and Business Associates Take Notice
HIPAA 2016 Audits Phase 2: Covered Entities and Business Associates Take Notice HIPAA 2016 Audits Phase 2: Covered Entities and Business Associates Take Notice
HIPAA 2016 Audits Phase 2: Covered Entities and Business Associates Take Notice Brian Dickerson
 

More from Brian Dickerson (7)

SDM Eclipse Poetry
SDM Eclipse PoetrySDM Eclipse Poetry
SDM Eclipse Poetry
 
The New Overtime Regulations
The New Overtime RegulationsThe New Overtime Regulations
The New Overtime Regulations
 
FisherBroyles Alert - Miami Pharmacies Charged with Submitting $26 Million in...
FisherBroyles Alert - Miami Pharmacies Charged with Submitting $26 Million in...FisherBroyles Alert - Miami Pharmacies Charged with Submitting $26 Million in...
FisherBroyles Alert - Miami Pharmacies Charged with Submitting $26 Million in...
 
FisherBroyles Client Alert - FDA Issues Draft Guidance for Compounding Operat...
FisherBroyles Client Alert - FDA Issues Draft Guidance for Compounding Operat...FisherBroyles Client Alert - FDA Issues Draft Guidance for Compounding Operat...
FisherBroyles Client Alert - FDA Issues Draft Guidance for Compounding Operat...
 
FCPA Self-Reporting Pilot Program: Motivation to Self-Report?
FCPA Self-Reporting Pilot Program: Motivation to Self-Report?FCPA Self-Reporting Pilot Program: Motivation to Self-Report?
FCPA Self-Reporting Pilot Program: Motivation to Self-Report?
 
Court Says NJ Took Too Long For Subpoenas In FCA Claim
Court Says NJ Took Too Long For Subpoenas In FCA ClaimCourt Says NJ Took Too Long For Subpoenas In FCA Claim
Court Says NJ Took Too Long For Subpoenas In FCA Claim
 
HIPAA 2016 Audits Phase 2: Covered Entities and Business Associates Take Notice
HIPAA 2016 Audits Phase 2: Covered Entities and Business Associates Take Notice HIPAA 2016 Audits Phase 2: Covered Entities and Business Associates Take Notice
HIPAA 2016 Audits Phase 2: Covered Entities and Business Associates Take Notice
 

Recently uploaded

Russian Call Girls in Raipur 9873940964 Book Hot And Sexy Girls
Russian Call Girls in Raipur 9873940964 Book Hot And Sexy GirlsRussian Call Girls in Raipur 9873940964 Book Hot And Sexy Girls
Russian Call Girls in Raipur 9873940964 Book Hot And Sexy Girlsddev2574
 
Russian Call Girls in Chandigarh Ojaswi ❤️🍑 9907093804 👄🫦 Independent Escort ...
Russian Call Girls in Chandigarh Ojaswi ❤️🍑 9907093804 👄🫦 Independent Escort ...Russian Call Girls in Chandigarh Ojaswi ❤️🍑 9907093804 👄🫦 Independent Escort ...
Russian Call Girls in Chandigarh Ojaswi ❤️🍑 9907093804 👄🫦 Independent Escort ...High Profile Call Girls Chandigarh Aarushi
 
hyderabad call girl.pdfRussian Call Girls in Hyderabad Amrita 9907093804 Inde...
hyderabad call girl.pdfRussian Call Girls in Hyderabad Amrita 9907093804 Inde...hyderabad call girl.pdfRussian Call Girls in Hyderabad Amrita 9907093804 Inde...
hyderabad call girl.pdfRussian Call Girls in Hyderabad Amrita 9907093804 Inde...delhimodelshub1
 
Call Girls in Hyderabad Lavanya 9907093804 Independent Escort Service Hyderabad
Call Girls in Hyderabad Lavanya 9907093804 Independent Escort Service HyderabadCall Girls in Hyderabad Lavanya 9907093804 Independent Escort Service Hyderabad
Call Girls in Hyderabad Lavanya 9907093804 Independent Escort Service Hyderabaddelhimodelshub1
 
Gurgaon iffco chowk 🔝 Call Girls Service 🔝 ( 8264348440 ) unlimited hard sex ...
Gurgaon iffco chowk 🔝 Call Girls Service 🔝 ( 8264348440 ) unlimited hard sex ...Gurgaon iffco chowk 🔝 Call Girls Service 🔝 ( 8264348440 ) unlimited hard sex ...
Gurgaon iffco chowk 🔝 Call Girls Service 🔝 ( 8264348440 ) unlimited hard sex ...soniya singh
 
Call Girls Hyderabad Kirti 9907093804 Independent Escort Service Hyderabad
Call Girls Hyderabad Kirti 9907093804 Independent Escort Service HyderabadCall Girls Hyderabad Kirti 9907093804 Independent Escort Service Hyderabad
Call Girls Hyderabad Kirti 9907093804 Independent Escort Service Hyderabaddelhimodelshub1
 
Call Girl Chandigarh Mallika ❤️🍑 9907093804 👄🫦 Independent Escort Service Cha...
Call Girl Chandigarh Mallika ❤️🍑 9907093804 👄🫦 Independent Escort Service Cha...Call Girl Chandigarh Mallika ❤️🍑 9907093804 👄🫦 Independent Escort Service Cha...
Call Girl Chandigarh Mallika ❤️🍑 9907093804 👄🫦 Independent Escort Service Cha...High Profile Call Girls Chandigarh Aarushi
 
Call Girls Hyderabad Krisha 9907093804 Independent Escort Service Hyderabad
Call Girls Hyderabad Krisha 9907093804 Independent Escort Service HyderabadCall Girls Hyderabad Krisha 9907093804 Independent Escort Service Hyderabad
Call Girls Hyderabad Krisha 9907093804 Independent Escort Service Hyderabaddelhimodelshub1
 
Russian Call Girls in Hyderabad Ishita 9907093804 Independent Escort Service ...
Russian Call Girls in Hyderabad Ishita 9907093804 Independent Escort Service ...Russian Call Girls in Hyderabad Ishita 9907093804 Independent Escort Service ...
Russian Call Girls in Hyderabad Ishita 9907093804 Independent Escort Service ...delhimodelshub1
 
Kukatpally Call Girls Services 9907093804 High Class Babes Here Call Now
Kukatpally Call Girls Services 9907093804 High Class Babes Here Call NowKukatpally Call Girls Services 9907093804 High Class Babes Here Call Now
Kukatpally Call Girls Services 9907093804 High Class Babes Here Call NowHyderabad Call Girls Services
 
Russian Call Girls in Goa Samaira 7001305949 Independent Escort Service Goa
Russian Call Girls in Goa Samaira 7001305949 Independent Escort Service GoaRussian Call Girls in Goa Samaira 7001305949 Independent Escort Service Goa
Russian Call Girls in Goa Samaira 7001305949 Independent Escort Service Goanarwatsonia7
 
Basics of Anatomy- Language of Anatomy.pptx
Basics of Anatomy- Language of Anatomy.pptxBasics of Anatomy- Language of Anatomy.pptx
Basics of Anatomy- Language of Anatomy.pptxAyush Gupta
 
Local Housewife and effective ☎️ 8250192130 🍉🍓 Sexy Girls VIP Call Girls Chan...
Local Housewife and effective ☎️ 8250192130 🍉🍓 Sexy Girls VIP Call Girls Chan...Local Housewife and effective ☎️ 8250192130 🍉🍓 Sexy Girls VIP Call Girls Chan...
Local Housewife and effective ☎️ 8250192130 🍉🍓 Sexy Girls VIP Call Girls Chan...Russian Call Girls Amritsar
 
College Call Girls Hyderabad Sakshi 9907093804 Independent Escort Service Hyd...
College Call Girls Hyderabad Sakshi 9907093804 Independent Escort Service Hyd...College Call Girls Hyderabad Sakshi 9907093804 Independent Escort Service Hyd...
College Call Girls Hyderabad Sakshi 9907093804 Independent Escort Service Hyd...delhimodelshub1
 
Russian Call Girls Hyderabad Saloni 9907093804 Independent Escort Service Hyd...
Russian Call Girls Hyderabad Saloni 9907093804 Independent Escort Service Hyd...Russian Call Girls Hyderabad Saloni 9907093804 Independent Escort Service Hyd...
Russian Call Girls Hyderabad Saloni 9907093804 Independent Escort Service Hyd...delhimodelshub1
 
pOOJA sexy Call Girls In Sector 49,9999965857 Young Female Escorts Service In...
pOOJA sexy Call Girls In Sector 49,9999965857 Young Female Escorts Service In...pOOJA sexy Call Girls In Sector 49,9999965857 Young Female Escorts Service In...
pOOJA sexy Call Girls In Sector 49,9999965857 Young Female Escorts Service In...Call Girls Noida
 
Dehradun Call Girls Service ❤️🍑 9675010100 👄🫦Independent Escort Service Dehradun
Dehradun Call Girls Service ❤️🍑 9675010100 👄🫦Independent Escort Service DehradunDehradun Call Girls Service ❤️🍑 9675010100 👄🫦Independent Escort Service Dehradun
Dehradun Call Girls Service ❤️🍑 9675010100 👄🫦Independent Escort Service DehradunNiamh verma
 
Gurgaon Sector 68 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few ...
Gurgaon Sector 68 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few ...Gurgaon Sector 68 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few ...
Gurgaon Sector 68 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few ...ggsonu500
 
VIP Call Girl Sector 25 Gurgaon Just Call Me 9899900591
VIP Call Girl Sector 25 Gurgaon Just Call Me 9899900591VIP Call Girl Sector 25 Gurgaon Just Call Me 9899900591
VIP Call Girl Sector 25 Gurgaon Just Call Me 9899900591adityaroy0215
 

Recently uploaded (20)

Russian Call Girls in Raipur 9873940964 Book Hot And Sexy Girls
Russian Call Girls in Raipur 9873940964 Book Hot And Sexy GirlsRussian Call Girls in Raipur 9873940964 Book Hot And Sexy Girls
Russian Call Girls in Raipur 9873940964 Book Hot And Sexy Girls
 
Russian Call Girls in Chandigarh Ojaswi ❤️🍑 9907093804 👄🫦 Independent Escort ...
Russian Call Girls in Chandigarh Ojaswi ❤️🍑 9907093804 👄🫦 Independent Escort ...Russian Call Girls in Chandigarh Ojaswi ❤️🍑 9907093804 👄🫦 Independent Escort ...
Russian Call Girls in Chandigarh Ojaswi ❤️🍑 9907093804 👄🫦 Independent Escort ...
 
hyderabad call girl.pdfRussian Call Girls in Hyderabad Amrita 9907093804 Inde...
hyderabad call girl.pdfRussian Call Girls in Hyderabad Amrita 9907093804 Inde...hyderabad call girl.pdfRussian Call Girls in Hyderabad Amrita 9907093804 Inde...
hyderabad call girl.pdfRussian Call Girls in Hyderabad Amrita 9907093804 Inde...
 
Call Girls in Hyderabad Lavanya 9907093804 Independent Escort Service Hyderabad
Call Girls in Hyderabad Lavanya 9907093804 Independent Escort Service HyderabadCall Girls in Hyderabad Lavanya 9907093804 Independent Escort Service Hyderabad
Call Girls in Hyderabad Lavanya 9907093804 Independent Escort Service Hyderabad
 
Gurgaon iffco chowk 🔝 Call Girls Service 🔝 ( 8264348440 ) unlimited hard sex ...
Gurgaon iffco chowk 🔝 Call Girls Service 🔝 ( 8264348440 ) unlimited hard sex ...Gurgaon iffco chowk 🔝 Call Girls Service 🔝 ( 8264348440 ) unlimited hard sex ...
Gurgaon iffco chowk 🔝 Call Girls Service 🔝 ( 8264348440 ) unlimited hard sex ...
 
Call Girls Hyderabad Kirti 9907093804 Independent Escort Service Hyderabad
Call Girls Hyderabad Kirti 9907093804 Independent Escort Service HyderabadCall Girls Hyderabad Kirti 9907093804 Independent Escort Service Hyderabad
Call Girls Hyderabad Kirti 9907093804 Independent Escort Service Hyderabad
 
Call Girl Chandigarh Mallika ❤️🍑 9907093804 👄🫦 Independent Escort Service Cha...
Call Girl Chandigarh Mallika ❤️🍑 9907093804 👄🫦 Independent Escort Service Cha...Call Girl Chandigarh Mallika ❤️🍑 9907093804 👄🫦 Independent Escort Service Cha...
Call Girl Chandigarh Mallika ❤️🍑 9907093804 👄🫦 Independent Escort Service Cha...
 
Call Girls Hyderabad Krisha 9907093804 Independent Escort Service Hyderabad
Call Girls Hyderabad Krisha 9907093804 Independent Escort Service HyderabadCall Girls Hyderabad Krisha 9907093804 Independent Escort Service Hyderabad
Call Girls Hyderabad Krisha 9907093804 Independent Escort Service Hyderabad
 
Russian Call Girls in Hyderabad Ishita 9907093804 Independent Escort Service ...
Russian Call Girls in Hyderabad Ishita 9907093804 Independent Escort Service ...Russian Call Girls in Hyderabad Ishita 9907093804 Independent Escort Service ...
Russian Call Girls in Hyderabad Ishita 9907093804 Independent Escort Service ...
 
Kukatpally Call Girls Services 9907093804 High Class Babes Here Call Now
Kukatpally Call Girls Services 9907093804 High Class Babes Here Call NowKukatpally Call Girls Services 9907093804 High Class Babes Here Call Now
Kukatpally Call Girls Services 9907093804 High Class Babes Here Call Now
 
Russian Call Girls in Goa Samaira 7001305949 Independent Escort Service Goa
Russian Call Girls in Goa Samaira 7001305949 Independent Escort Service GoaRussian Call Girls in Goa Samaira 7001305949 Independent Escort Service Goa
Russian Call Girls in Goa Samaira 7001305949 Independent Escort Service Goa
 
Basics of Anatomy- Language of Anatomy.pptx
Basics of Anatomy- Language of Anatomy.pptxBasics of Anatomy- Language of Anatomy.pptx
Basics of Anatomy- Language of Anatomy.pptx
 
Local Housewife and effective ☎️ 8250192130 🍉🍓 Sexy Girls VIP Call Girls Chan...
Local Housewife and effective ☎️ 8250192130 🍉🍓 Sexy Girls VIP Call Girls Chan...Local Housewife and effective ☎️ 8250192130 🍉🍓 Sexy Girls VIP Call Girls Chan...
Local Housewife and effective ☎️ 8250192130 🍉🍓 Sexy Girls VIP Call Girls Chan...
 
College Call Girls Hyderabad Sakshi 9907093804 Independent Escort Service Hyd...
College Call Girls Hyderabad Sakshi 9907093804 Independent Escort Service Hyd...College Call Girls Hyderabad Sakshi 9907093804 Independent Escort Service Hyd...
College Call Girls Hyderabad Sakshi 9907093804 Independent Escort Service Hyd...
 
Russian Call Girls Hyderabad Saloni 9907093804 Independent Escort Service Hyd...
Russian Call Girls Hyderabad Saloni 9907093804 Independent Escort Service Hyd...Russian Call Girls Hyderabad Saloni 9907093804 Independent Escort Service Hyd...
Russian Call Girls Hyderabad Saloni 9907093804 Independent Escort Service Hyd...
 
pOOJA sexy Call Girls In Sector 49,9999965857 Young Female Escorts Service In...
pOOJA sexy Call Girls In Sector 49,9999965857 Young Female Escorts Service In...pOOJA sexy Call Girls In Sector 49,9999965857 Young Female Escorts Service In...
pOOJA sexy Call Girls In Sector 49,9999965857 Young Female Escorts Service In...
 
Dehradun Call Girls Service ❤️🍑 9675010100 👄🫦Independent Escort Service Dehradun
Dehradun Call Girls Service ❤️🍑 9675010100 👄🫦Independent Escort Service DehradunDehradun Call Girls Service ❤️🍑 9675010100 👄🫦Independent Escort Service Dehradun
Dehradun Call Girls Service ❤️🍑 9675010100 👄🫦Independent Escort Service Dehradun
 
Call Girl Lucknow Gauri 🔝 8923113531 🔝 🎶 Independent Escort Service Lucknow
Call Girl Lucknow Gauri 🔝 8923113531 🔝 🎶 Independent Escort Service LucknowCall Girl Lucknow Gauri 🔝 8923113531 🔝 🎶 Independent Escort Service Lucknow
Call Girl Lucknow Gauri 🔝 8923113531 🔝 🎶 Independent Escort Service Lucknow
 
Gurgaon Sector 68 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few ...
Gurgaon Sector 68 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few ...Gurgaon Sector 68 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few ...
Gurgaon Sector 68 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few ...
 
VIP Call Girl Sector 25 Gurgaon Just Call Me 9899900591
VIP Call Girl Sector 25 Gurgaon Just Call Me 9899900591VIP Call Girl Sector 25 Gurgaon Just Call Me 9899900591
VIP Call Girl Sector 25 Gurgaon Just Call Me 9899900591
 

Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Million Settlement

  • 1. FISHERBROYLES.COM TH E NE X T GE NE R A T I O N LA W FI R M ® Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Million Settlement PRACTICE AREA / INDUSTRY: HEALTHCARE; WHITE COLLAR LITIGATION & GOVERNEMENT INVESTIGATIONS Brian E. Dickerson Anthony J. Calamunci brian.dickerson@fisherbroyles.com anthony.calamunci@fisherbroyles.com 202.570.0248 419.376.1776 Nicole Hughes Waid nicole.waid@fisherbroyles.com 202.906.9572 March 17, 2016 Yesterday the U.S. Department of Health & Human Services (“HHS”) Office for Civil Rights (“OCR”) announced that North Memorial Health System of Minnesota (“North Memorial”) agreed to pay $1.5 million to settle charges that it potentially violated HIPAA Privacy and Security Rules by improperly disclosing PHI on nearly 300,000 patients during a five month period in 2011. North Memorial reported on September 27, 2011, that an unencrypted laptop that contained electronic PHI of 6,697 patients was stolen on July 25, 2011, from an employee’s locked vehicle. North Memorial disclosed additional violations during the course of the OCR investigation. Specifically, North Memorial disclosed that the company did not have a written business associate agreement (“BAA”) with its third party billing company, Accretive, from March 21, 2011 to October 14, 2011 when a written BAA was provided, resulting in the improper disclosure of PHI of at least 289,904 individuals. HIPAA Privacy and Security Rules mandate that organizations must have in place a BAA with any company that has access to PHI, both non-electronic and electronic. OCR’s investigation indicated that North Memorial gave Accretive access to its hospital database and also access to non-electronic PHI when services were performed on-site.
  • 2. FISHERBROYLES.COM TH E NE X T GE NE R A T I O N LA W FI R M ® HIPAA Privacy and Security Rules require a thorough and complete risk analysis to identify potential vulnerabilities and address potential risks. OCR determined that North Memorial failed to complete a risk analysis that addressed vulnerabilities and risks to electronic PHI across its entire IT infrastructure that included all applications, software, databases, servers, workstations, mobile devices and electronic media, network administration and security devices, and associated business processes, such as those that allowed an employee to have an unencrypted laptop off-site. “Two major cornerstones of the HIPAA Rules were overlooked by this entity,” said Jocelyn Samuels, Director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). “Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.” In addition to the $1,550,000 payment, under the resolution agreement, North Memorial is required to develop a robust, organization-wide risk analysis and risk management plan. North Memorial has agreed to complete this plan within 180 days and will include an inventory of all equipment that stores PHI. North Memorial will also train appropriate workforce members on all policies and procedures newly developed or revised pursuant to this corrective action plan. Please click here to view the Resolution Agreement and Corrective Action Plan. This settlement illustrates OCR’s heightened scrutiny of business associate agreements and third-party vendor relationships. Last year OCR reached a $3.5 million settlement with Triple-S Management Corp for HIPAA violations that included not having BAAs with vendors. A company’s PHI safeguards are only as strong as the safeguards of the vendors with whom the company does business. Covered entities must exercise due diligence in the selection of third-party vendors, review the vendor’s cyber security and data breach plans, ensure that BAAs are in place and are being followed, review contractual obligations, and require audits of PHI safeguards. Failure to do so not only places personal health information at risk, but can also be very costly for companies who are found to be in breach of their duties. For further information on the subject matter of this alert, please contact the following FisherBroyles attorneys: Brian E. Dickerson brian.dickerson@fisherbroyles.com 202.570.0248 Nicole Hughes Waid nicole.waid@fisherbroyles.com 202.906.9572 Anthony J. Calamunci anthony.calamunci@fisherbroyles.com 419.376.1776