The U.S. Department of Health and Human Services announced that North Memorial Health System agreed to pay $1.55 million to settle potential HIPAA violations. North Memorial failed to have a written business associate agreement with its third-party billing company, Accretive, resulting in the improper disclosure of protected health information of over 289,000 patients. Additionally, North Memorial did not conduct a thorough risk analysis of its information technology systems. This settlement illustrates the importance of having compliant business associate agreements and conducting comprehensive risk analyses to protect patient information.
Mobile Privacy & Personal Health InformationSheree Martin
These slides are the talking points for a 15-minute presentation I delivered as part of a Data Privacy Day panel at Cumberland School of Law, Samford University. The event was titled: "Is My Phone Spying On Me?"
What is HIPAA Compliance?
HIPAA stands for the Healthcare Insurance Portability and Accountability Act of 1996. This specifies laws for the protection and use of Personal (or Protected) Health Information (PHI) - essentially, your medical record. HIPAA sets the standard for protecting sensitive patient data. The Administrative Simplification provisions of the Act (HIPAA, Title II) require the U.S. Department of Health and Human Services (HHS) to adopt certain national standards. These cover electronic health care transactions, and national identifiers for providers, health plans, and employers.
Physical, network, and process security measures are involved. The HIPAA Privacy Rule covers the saving, accessing and sharing of medical and personal information for any individual. The HIPAA Security Rule outlines national security standards to protect health data created, received, maintained or transmitted electronically - also known as electronic protected health information (ePHI).
Meeting these standards? That's compliance.
The American Recovery and Reinvestment Act of 2009 (Stimulus Package) changes made to HIPAA Privacy and Security rules. Congress passed the Act of 17 February 2009.
Mobile Privacy & Personal Health InformationSheree Martin
These slides are the talking points for a 15-minute presentation I delivered as part of a Data Privacy Day panel at Cumberland School of Law, Samford University. The event was titled: "Is My Phone Spying On Me?"
What is HIPAA Compliance?
HIPAA stands for the Healthcare Insurance Portability and Accountability Act of 1996. This specifies laws for the protection and use of Personal (or Protected) Health Information (PHI) - essentially, your medical record. HIPAA sets the standard for protecting sensitive patient data. The Administrative Simplification provisions of the Act (HIPAA, Title II) require the U.S. Department of Health and Human Services (HHS) to adopt certain national standards. These cover electronic health care transactions, and national identifiers for providers, health plans, and employers.
Physical, network, and process security measures are involved. The HIPAA Privacy Rule covers the saving, accessing and sharing of medical and personal information for any individual. The HIPAA Security Rule outlines national security standards to protect health data created, received, maintained or transmitted electronically - also known as electronic protected health information (ePHI).
Meeting these standards? That's compliance.
The American Recovery and Reinvestment Act of 2009 (Stimulus Package) changes made to HIPAA Privacy and Security rules. Congress passed the Act of 17 February 2009.
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachEMC
This white paper discusses how some forward thinking organizations are using the passage of the HITECH Act as an opportunity to modernize how patient information is stored and accessed through electronic health records.
HIPAA Security Risk Analysis for Business AssociatesRedspin, Inc.
A 8-slide primer on why Business Associates should conduct a HIPAA Security Risk Analysis to meet their new compliance and risk management needs. Includes updates from HITECH Act and HIPAA Omnibus Rule.
To protect patient health information (PHI) from access by unauthorized entities, The Health Information Portability and Accountability Act (HIPAA) was enacted. With the advancement in technology, patient data has now become extensively digitized.Hence, it has become important to safeguard the privacy of patient health information.
This white paper discusses the various cyber threats targeting healthcare organizations and the challenges security professionals face in securing access to protected health information.
Every company with Protected Health Information (“PHI”) is expected to regularly engage in a risk analysis and other compliance activities related to HIPAA . Since 2009, over 60,000 breaches have been reported, and 800 have been identified to affect 500 or more individuals. Not surprisingly, over half of the reported incidents were caused by the loss or theft of a laptop or other mobile device. 46% of corporate laptops and 35% of smartphones contain sensitive data. 113 smartphones are lost every minute in the U.S.
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachEMC
This white paper discusses how some forward thinking organizations are using the passage of the HITECH Act as an opportunity to modernize how patient information is stored and accessed through electronic health records.
HIPAA Security Risk Analysis for Business AssociatesRedspin, Inc.
A 8-slide primer on why Business Associates should conduct a HIPAA Security Risk Analysis to meet their new compliance and risk management needs. Includes updates from HITECH Act and HIPAA Omnibus Rule.
To protect patient health information (PHI) from access by unauthorized entities, The Health Information Portability and Accountability Act (HIPAA) was enacted. With the advancement in technology, patient data has now become extensively digitized.Hence, it has become important to safeguard the privacy of patient health information.
This white paper discusses the various cyber threats targeting healthcare organizations and the challenges security professionals face in securing access to protected health information.
Every company with Protected Health Information (“PHI”) is expected to regularly engage in a risk analysis and other compliance activities related to HIPAA . Since 2009, over 60,000 breaches have been reported, and 800 have been identified to affect 500 or more individuals. Not surprisingly, over half of the reported incidents were caused by the loss or theft of a laptop or other mobile device. 46% of corporate laptops and 35% of smartphones contain sensitive data. 113 smartphones are lost every minute in the U.S.
Natural Resource Optimization for International Renewable Transition by 2040Naomi Arnold
Presentation from final term paper for MIT's Energy Systems and Climate Change Mitigation graduate course in Fall 2014 about the possibility and cost implications per country of transitioning to renewable energy by 2040. Measuring climate change mitigation responsibilities based on historical or projected CO2 emissions has proven controversial and created policy stalemates at the international level. Instead, we propose an alternative approach that identifies which countries can be first to transition to renewables based on natural resource supply and cost considerations. Our research revealed that natural resources themselves were not a binding constraint, as ample solar, wind, geothermal, and hydropower potential energy supplies exist worldwide. Cost will be the main factor in the renewable transition, our analysis shows the total cost to switch to renewables will be a significant portion of their GDP for most countries around the world. On a worldwide basis, we estimate the transition to cost 22% of world GDP. This paper highlights the importance of policymakers to allocate more funding for renewable energy R&D and market-based or subsidy programs to support the growth and investment in renewables. The question is not if renewables will be able to supply our future energy needs, but when will the the funds be available to make this transition.
INTRODUCCIÓN
El dinero es, pues algo que facilita los intercambios y evita las inconvenientes ligados al trueque, esto es, al intercambio de unos bienes por otros. Este capítulo es el principio que aborda los dos temas dedicados a analizar el dinero y su incidencia sobre la actividad económica y presenta el concepto de dinero, sus funciones y los distintos motivos por los cuales los individuos lo demandan. Así mismo se presenta el concepto de dinero bancario y la forma en que los bancos crean depósitos y por lo tanto, dinero bancario.
Presentation designed to explain Business Associates the basics of HIPAA and real-life examples of cases that failed to implement and follow HIPAA requirements on a timely basis.
Presentation was given by Jim Anfield to Chicago Technology For Value-Based HealthCare (https://www.meetup.com/Chicago-Technology-For-Value-Based-Healthcare-Meetup/).
Healthcare organizations (HCOs) are facing three major IT security and compliance
challenges. First, IT regulations such as HIPAA are getting stricter and enforcement actions
are becoming more common and costly....
While researchers are technically not covered by HIPAA, it still is important to protect patient's Protected Health Information(PHI). This is a presentation I did for the Society of Clinical Research Associates (SOCRA)
ControlCase will discusses the following:
- Healthcare compliance in general
- What is HIPAA
- What is HITRUST
- How do they relate?
- Advantages of being HITRUST certified
Protecting Patient Health Information in the HITECH EraRapid7
The American Healthcare system is getting a complete facelift thanks to incentives to adopt Health Information Technology introduced by the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HITECH Act contains tools for the enforcement of HIPAA regulations, as well as incentives to accelerate the adoption of information systems that reduce costs, gain efficiencies, and ultimately improve patient care while keeping patient health information secure. This paper examines the HITECH Act, the enforcement mechanisms the HITECH Act provides for HIPAA, and the key security challenges healthcare services face in order to protect patient health information as part of becoming HIPAA compliant.
Chapter 14 Managing Projects 569 A Shaky Start for Healthcare.Gov CAS.pdfprajeetjain
Chapter 14 Managing Projects 569 A Shaky Start for Healthcare.Gov CASE STUDY e
administration of President Barack Obama has made Patient Protection and Affordable October 6
that Healthcare.gov\'s glitches were caused Care Act, often called \'Obamacare*, its chief by an
unexpectedly high volume of users. About domestic accomplishment and the center 50,000-
60,000 had been expected, but the site had to U.S. chief technology officer Todd Park stated on
piece of Obama\'s legacy. Essential to Obama\'s health handle 250,000 simultaneous users. Over
8.1 million care reform plan is Healthcare.gov, a health insurance people visited Healthcare.gov
between October I and exchange Web site that facilitates the sale of private October, 2013.
health insurance plans to U.S residents, assists people White House officials later eligible to sign
up for Medicaid, and has a separate Healthcare.gov\'s problems were not just caused by White
House officials later admitted that marketplace for small businesses high traffic volume but also
by software and system design The site allows users to compare prices on health issues. Stress
tests performed by insurance plans in their states, to enroll in a plan they choose, and to find out
if they qualify for gow ernment health care subsidies. Users must sign up and create their own
specific account first, provid- ing some personal information, in order to receive detailed
information about available health care day before the launch date revealed the site slowed
substantially with only 1,100 simultaneous users, far fewer than the 50,000-60,000 that were
anticipated. Technical experts found out that the site was riddled with hardware and software
defects, amounting to more than 600 items that needed to be fixed A major contributor to these
problems was the part of the system\'s design that requires users to Healthcare.gov was launched
on October 1 2013, as promised, but visitors quickly encounteredcreate individual accounts
before shopping for health numerous technical problems. Software that assigned insurance. This
means that before users can shop digital identities to enrollees and ensured that they for
coverage, they must input personal data that only their own personal data was overwhelmed. are
exchanged among separate computer systems built or run by multiple vendors, including CGI
Customers encountered cryptic error messages andbuilt or run by multiple vendors, including cG
could not log in to create accounts. There was insuf- ficient computing capacity in the Herndon,
Virginia, data center housing the system for the site. Many users received quotes that Group,
developer of healthcare.gov, Quality Software in the Herndon, Virginia, Services, and credit-
checker Experian PL.C. If any Services, and part of this web of systems fails to work properly
users will be blocked from entering the exchange the feature used prices based on just two age
groups.marketplace. A bottleneck had been created where It was estimated that on.
This presentation discusses how to comply with HIPAA and HITECH privacy laws. Learn key terms such as Protected Health Information, the Privacy Rule and the Security Rule as well as major changes brought by HIPAA and HITECH.
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessment Series: HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule (Part 1)
Chapter 10 Privacy and Security of Health RecordsLearnin.docxcravennichole326
Chapter 10 Privacy and Security of Health Records
Learning Outcomes
After completing this chapter, you should be able to:
♦ List HIPAA transactions and uniform identifiers
♦ Understand HIPAA privacy and security concepts
♦ Apply HIPAA privacy policy in a medical facility
♦ Discuss HIPAA security requirements and safeguards
♦ Follow security policy guidelines in a medical facility
♦ Explain electronic signatures
Understanding HIPAA
In Chapter 11 we will discuss various ways the Internet is being used for healthcare, including various implementations of EHR on the Internet, Internet-based personal health records (PHR), and remote access. In Chapter 12 we will explore the relationship of the EHR data to the determination of codes required for medical billing. Before moving to those topics it is prudent to understand HIPAA. HIPAA is an acronym for the Health Insurance Portability and Accountability Act, passed by Congress in 1996.
The HIPAA law was intended to:
♦ Improve portability and continuity of health insurance coverage.
♦ Combat waste, fraud, and abuse in health insurance and healthcare delivery.
♦ Promote use of medical savings accounts
♦ Improve access to long-term care
♦ Simplify administration of health insurance
HIPAA law regulates many things. However, a portion known as the Administrative Simplification Subsection1 of HIPAA covers entities such as health plans, clearinghouses, and healthcare providers. HIPAA refers to these as covered entities or a covered entity. This means a healthcare facility or health plan and all of its employees. If you work in the healthcare field, these regulations likely govern your job and behavior. Therefore, it is not uncommon for healthcare workers to use the acronym HIPAA when they actually mean only the Administrative Simplification Subsection of HIPAA.
Note Covered Entity
HIPAA documents refer to healthcare providers, plans, and clearing-houses as covered entities. In the context of this chapter, think of a covered entity as a healthcare organization and all of its employees.
As someone who will work with patients’ health records, it is especially important for you to understand the regulations regarding privacy and security. However, let us begin with a quick review of HIPAA, then study the privacy and security portions in more depth.
HIPAA implementation and enforcement is under the jurisdiction of several entities within the U.S. Department of Health and Human Services (HHS). This chapter will make extensive use of documents prepared by HHS.
Administrative Simplification Subsection
The Administrative Simplification Subsection has four distinct components:
1. Transactions and code sets
2. Uniform identifiers
3. Privacy
4. Security
HIPAA Transactions and Code Sets
The first section of the regulations to be implemented governed the electronic transfer of medical information for business purposes such as insurance claims, payme ...
Similar to Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Million Settlement (20)
Deep Leg Vein Thrombosis (DVT): Meaning, Causes, Symptoms, Treatment, and Mor...The Lifesciences Magazine
Deep Leg Vein Thrombosis occurs when a blood clot forms in one or more of the deep veins in the legs. These clots can impede blood flow, leading to severe complications.
CHAPTER 1 SEMESTER V PREVENTIVE-PEDIATRICS.pdfSachin Sharma
This content provides an overview of preventive pediatrics. It defines preventive pediatrics as preventing disease and promoting children's physical, mental, and social well-being to achieve positive health. It discusses antenatal, postnatal, and social preventive pediatrics. It also covers various child health programs like immunization, breastfeeding, ICDS, and the roles of organizations like WHO, UNICEF, and nurses in preventive pediatrics.
Medical Technology Tackles New Health Care Demand - Research Report - March 2...pchutichetpong
M Capital Group (“MCG”) predicts that with, against, despite, and even without the global pandemic, the medical technology (MedTech) industry shows signs of continuous healthy growth, driven by smaller, faster, and cheaper devices, growing demand for home-based applications, technological innovation, strategic acquisitions, investments, and SPAC listings. MCG predicts that this should reflects itself in annual growth of over 6%, well beyond 2028.
According to Chris Mouchabhani, Managing Partner at M Capital Group, “Despite all economic scenarios that one may consider, beyond overall economic shocks, medical technology should remain one of the most promising and robust sectors over the short to medium term and well beyond 2028.”
There is a movement towards home-based care for the elderly, next generation scanning and MRI devices, wearable technology, artificial intelligence incorporation, and online connectivity. Experts also see a focus on predictive, preventive, personalized, participatory, and precision medicine, with rising levels of integration of home care and technological innovation.
The average cost of treatment has been rising across the board, creating additional financial burdens to governments, healthcare providers and insurance companies. According to MCG, cost-per-inpatient-stay in the United States alone rose on average annually by over 13% between 2014 to 2021, leading MedTech to focus research efforts on optimized medical equipment at lower price points, whilst emphasizing portability and ease of use. Namely, 46% of the 1,008 medical technology companies in the 2021 MedTech Innovator (“MTI”) database are focusing on prevention, wellness, detection, or diagnosis, signaling a clear push for preventive care to also tackle costs.
In addition, there has also been a lasting impact on consumer and medical demand for home care, supported by the pandemic. Lockdowns, closure of care facilities, and healthcare systems subjected to capacity pressure, accelerated demand away from traditional inpatient care. Now, outpatient care solutions are driving industry production, with nearly 70% of recent diagnostics start-up companies producing products in areas such as ambulatory clinics, at-home care, and self-administered diagnostics.
CHAPTER 1 SEMESTER V - ROLE OF PEADIATRIC NURSE.pdfSachin Sharma
Pediatric nurses play a vital role in the health and well-being of children. Their responsibilities are wide-ranging, and their objectives can be categorized into several key areas:
1. Direct Patient Care:
Objective: Provide comprehensive and compassionate care to infants, children, and adolescents in various healthcare settings (hospitals, clinics, etc.).
This includes tasks like:
Monitoring vital signs and physical condition.
Administering medications and treatments.
Performing procedures as directed by doctors.
Assisting with daily living activities (bathing, feeding).
Providing emotional support and pain management.
2. Health Promotion and Education:
Objective: Promote healthy behaviors and educate children, families, and communities about preventive healthcare.
This includes tasks like:
Administering vaccinations.
Providing education on nutrition, hygiene, and development.
Offering breastfeeding and childbirth support.
Counseling families on safety and injury prevention.
3. Collaboration and Advocacy:
Objective: Collaborate effectively with doctors, social workers, therapists, and other healthcare professionals to ensure coordinated care for children.
Objective: Advocate for the rights and best interests of their patients, especially when children cannot speak for themselves.
This includes tasks like:
Communicating effectively with healthcare teams.
Identifying and addressing potential risks to child welfare.
Educating families about their child's condition and treatment options.
4. Professional Development and Research:
Objective: Stay up-to-date on the latest advancements in pediatric healthcare through continuing education and research.
Objective: Contribute to improving the quality of care for children by participating in research initiatives.
This includes tasks like:
Attending workshops and conferences on pediatric nursing.
Participating in clinical trials related to child health.
Implementing evidence-based practices into their daily routines.
By fulfilling these objectives, pediatric nurses play a crucial role in ensuring the optimal health and well-being of children throughout all stages of their development.
Telehealth Psychology Building Trust with Clients.pptxThe Harvest Clinic
Telehealth psychology is a digital approach that offers psychological services and mental health care to clients remotely, using technologies like video conferencing, phone calls, text messaging, and mobile apps for communication.
ICH Guidelines for Pharmacovigilance.pdfNEHA GUPTA
The "ICH Guidelines for Pharmacovigilance" PDF provides a comprehensive overview of the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use (ICH) guidelines related to pharmacovigilance. These guidelines aim to ensure that drugs are safe and effective for patients by monitoring and assessing adverse effects, ensuring proper reporting systems, and improving risk management practices. The document is essential for professionals in the pharmaceutical industry, regulatory authorities, and healthcare providers, offering detailed procedures and standards for pharmacovigilance activities to enhance drug safety and protect public health.
Defecation
Normal defecation begins with movement in the left colon, moving stool toward the anus. When stool reaches the rectum, the distention causes relaxation of the internal sphincter and an awareness of the need to defecate. At the time of defecation, the external sphincter relaxes, and abdominal muscles contract, increasing intrarectal pressure and forcing the stool out
The Valsalva maneuver exerts pressure to expel faeces through a voluntary contraction of the abdominal muscles while maintaining forced expiration against a closed airway. Patients with cardiovascular disease, glaucoma, increased intracranial pressure, or a new surgical wound are at greater risk for cardiac dysrhythmias and elevated blood pressure with the Valsalva maneuver and need to avoid straining to pass the stool.
Normal defecation is painless, resulting in passage of soft, formed stool
CONSTIPATION
Constipation is a symptom, not a disease. Improper diet, reduced fluid intake, lack of exercise, and certain medications can cause constipation. For example, patients receiving opiates for pain after surgery often require a stool softener or laxative to prevent constipation. The signs of constipation include infrequent bowel movements (less than every 3 days), difficulty passing stools, excessive straining, inability to defecate at will, and hard feaces
IMPACTION
Fecal impaction results from unrelieved constipation. It is a collection of hardened feces wedged in the rectum that a person cannot expel. In cases of severe impaction the mass extends up into the sigmoid colon.
DIARRHEA
Diarrhea is an increase in the number of stools and the passage of liquid, unformed feces. It is associated with disorders affecting digestion, absorption, and secretion in the GI tract. Intestinal contents pass through the small and large intestine too quickly to allow for the usual absorption of fluid and nutrients. Irritation within the colon results in increased mucus secretion. As a result, feces become watery, and the patient is unable to control the urge to defecate. Normally an anal bag is safe and effective in long-term treatment of patients with fecal incontinence at home, in hospice, or in the hospital. Fecal incontinence is expensive and a potentially dangerous condition in terms of contamination and risk of skin ulceration
HEMORRHOIDS
Hemorrhoids are dilated, engorged veins in the lining of the rectum. They are either external or internal.
FLATULENCE
As gas accumulates in the lumen of the intestines, the bowel wall stretches and distends (flatulence). It is a common cause of abdominal fullness, pain, and cramping. Normally intestinal gas escapes through the mouth (belching) or the anus (passing of flatus)
FECAL INCONTINENCE
Fecal incontinence is the inability to control passage of feces and gas from the anus. Incontinence harms a patient’s body image
PREPARATION AND GIVING OF LAXATIVESACCORDING TO POTTER AND PERRY,
An enema is the instillation of a solution into the rectum and sig
Global launch of the Healthy Ageing and Prevention Index 2nd wave – alongside...ILC- UK
The Healthy Ageing and Prevention Index is an online tool created by ILC that ranks countries on six metrics including, life span, health span, work span, income, environmental performance, and happiness. The Index helps us understand how well countries have adapted to longevity and inform decision makers on what must be done to maximise the economic benefits that comes with living well for longer.
Alongside the 77th World Health Assembly in Geneva on 28 May 2024, we launched the second version of our Index, allowing us to track progress and give new insights into what needs to be done to keep populations healthier for longer.
The speakers included:
Professor Orazio Schillaci, Minister of Health, Italy
Dr Hans Groth, Chairman of the Board, World Demographic & Ageing Forum
Professor Ilona Kickbusch, Founder and Chair, Global Health Centre, Geneva Graduate Institute and co-chair, World Health Summit Council
Dr Natasha Azzopardi Muscat, Director, Country Health Policies and Systems Division, World Health Organisation EURO
Dr Marta Lomazzi, Executive Manager, World Federation of Public Health Associations
Dr Shyam Bishen, Head, Centre for Health and Healthcare and Member of the Executive Committee, World Economic Forum
Dr Karin Tegmark Wisell, Director General, Public Health Agency of Sweden
Navigating Challenges: Mental Health, Legislation, and the Prison System in B...Guillermo Rivera
This conference will delve into the intricate intersections between mental health, legal frameworks, and the prison system in Bolivia. It aims to provide a comprehensive overview of the current challenges faced by mental health professionals working within the legislative and correctional landscapes. Topics of discussion will include the prevalence and impact of mental health issues among the incarcerated population, the effectiveness of existing mental health policies and legislation, and potential reforms to enhance the mental health support system within prisons.
The dimensions of healthcare quality refer to various attributes or aspects that define the standard of healthcare services. These dimensions are used to evaluate, measure, and improve the quality of care provided to patients. A comprehensive understanding of these dimensions ensures that healthcare systems can address various aspects of patient care effectively and holistically. Dimensions of Healthcare Quality and Performance of care include the following; Appropriateness, Availability, Competence, Continuity, Effectiveness, Efficiency, Efficacy, Prevention, Respect and Care, Safety as well as Timeliness.
Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Million Settlement
1. FISHERBROYLES.COM
TH E NE X T GE NE R A T I O N LA W FI R M ®
Failure to Execute a HIPAA Business Associate Agreement
Results in $1.55 Million Settlement
PRACTICE AREA / INDUSTRY: HEALTHCARE; WHITE COLLAR LITIGATION &
GOVERNEMENT INVESTIGATIONS
Brian E. Dickerson Anthony J. Calamunci
brian.dickerson@fisherbroyles.com anthony.calamunci@fisherbroyles.com
202.570.0248 419.376.1776
Nicole Hughes Waid
nicole.waid@fisherbroyles.com
202.906.9572
March 17, 2016
Yesterday the U.S. Department of Health & Human Services (“HHS”) Office for Civil Rights (“OCR”)
announced that North Memorial Health System of Minnesota (“North Memorial”) agreed to pay $1.5 million to
settle charges that it potentially violated HIPAA Privacy and Security Rules by improperly disclosing PHI on
nearly 300,000 patients during a five month period in 2011.
North Memorial reported on September 27, 2011, that an unencrypted laptop that contained electronic PHI of
6,697 patients was stolen on July 25, 2011, from an employee’s locked vehicle. North Memorial disclosed
additional violations during the course of the OCR investigation. Specifically, North Memorial disclosed that
the company did not have a written business associate agreement (“BAA”) with its third party billing company,
Accretive, from March 21, 2011 to October 14, 2011 when a written BAA was provided, resulting in the
improper disclosure of PHI of at least 289,904 individuals.
HIPAA Privacy and Security Rules mandate that organizations must have in place a BAA with any company
that has access to PHI, both non-electronic and electronic. OCR’s investigation indicated that North Memorial
gave Accretive access to its hospital database and also access to non-electronic PHI when services were
performed on-site.
2. FISHERBROYLES.COM
TH E NE X T GE NE R A T I O N LA W FI R M ®
HIPAA Privacy and Security Rules require a thorough and complete risk analysis to identify potential
vulnerabilities and address potential risks. OCR determined that North Memorial failed to complete a risk
analysis that addressed vulnerabilities and risks to electronic PHI across its entire IT infrastructure that
included all applications, software, databases, servers, workstations, mobile devices and electronic media,
network administration and security devices, and associated business processes, such as those that allowed
an employee to have an unencrypted laptop off-site.
“Two major cornerstones of the HIPAA Rules were overlooked by this entity,” said Jocelyn Samuels, Director of
the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). “Organizations must have
in place compliant business associate agreements as well as an accurate and thorough risk analysis that
addresses their enterprise-wide IT infrastructure.”
In addition to the $1,550,000 payment, under the resolution agreement, North Memorial is required to develop a
robust, organization-wide risk analysis and risk management plan. North Memorial has agreed to complete this
plan within 180 days and will include an inventory of all equipment that stores PHI. North Memorial will also train
appropriate workforce members on all policies and procedures newly developed or revised pursuant to this
corrective action plan. Please click here to view the Resolution Agreement and Corrective Action Plan.
This settlement illustrates OCR’s heightened scrutiny of business associate agreements and third-party vendor
relationships. Last year OCR reached a $3.5 million settlement with Triple-S Management Corp for HIPAA
violations that included not having BAAs with vendors. A company’s PHI safeguards are only as strong as the
safeguards of the vendors with whom the company does business. Covered entities must exercise due diligence
in the selection of third-party vendors, review the vendor’s cyber security and data breach plans, ensure that BAAs
are in place and are being followed, review contractual obligations, and require audits of PHI safeguards. Failure
to do so not only places personal health information at risk, but can also be very costly for companies who are
found to be in breach of their duties.
For further information on the subject matter of this alert, please contact the following FisherBroyles attorneys:
Brian E. Dickerson
brian.dickerson@fisherbroyles.com
202.570.0248
Nicole Hughes Waid
nicole.waid@fisherbroyles.com
202.906.9572
Anthony J. Calamunci
anthony.calamunci@fisherbroyles.com
419.376.1776