The U.S. Department of Health and Human Services announced that North Memorial Health System agreed to pay $1.55 million to settle potential HIPAA violations. North Memorial failed to have a written business associate agreement with its third-party billing company, Accretive, resulting in the improper disclosure of protected health information of over 289,000 patients. Additionally, North Memorial did not conduct a thorough risk analysis of its information technology systems. This settlement illustrates the importance of having compliant business associate agreements and conducting comprehensive risk analyses to protect patient information.

1. FISHERBROYLES.COM
TH E NE X T GE NE R A T I O N LA W FI R M ®
Failure to Execute a HIPAA Business Associate Agreement
Results in $1.55 Million Settlement
PRACTICE AREA / INDUSTRY: HEALTHCARE; WHITE COLLAR LITIGATION &
GOVERNEMENT INVESTIGATIONS
Brian E. Dickerson Anthony J. Calamunci
brian.dickerson@fisherbroyles.com anthony.calamunci@fisherbroyles.com
202.570.0248 419.376.1776
Nicole Hughes Waid
nicole.waid@fisherbroyles.com
202.906.9572
March 17, 2016
Yesterday the U.S. Department of Health & Human Services (“HHS”) Office for Civil Rights (“OCR”)
announced that North Memorial Health System of Minnesota (“North Memorial”) agreed to pay $1.5 million to
settle charges that it potentially violated HIPAA Privacy and Security Rules by improperly disclosing PHI on
nearly 300,000 patients during a five month period in 2011.
North Memorial reported on September 27, 2011, that an unencrypted laptop that contained electronic PHI of
6,697 patients was stolen on July 25, 2011, from an employee’s locked vehicle. North Memorial disclosed
additional violations during the course of the OCR investigation. Specifically, North Memorial disclosed that
the company did not have a written business associate agreement (“BAA”) with its third party billing company,
Accretive, from March 21, 2011 to October 14, 2011 when a written BAA was provided, resulting in the
improper disclosure of PHI of at least 289,904 individuals.
HIPAA Privacy and Security Rules mandate that organizations must have in place a BAA with any company
that has access to PHI, both non-electronic and electronic. OCR’s investigation indicated that North Memorial
gave Accretive access to its hospital database and also access to non-electronic PHI when services were
performed on-site.

2. FISHERBROYLES.COM
TH E NE X T GE NE R A T I O N LA W FI R M ®
HIPAA Privacy and Security Rules require a thorough and complete risk analysis to identify potential
vulnerabilities and address potential risks. OCR determined that North Memorial failed to complete a risk
analysis that addressed vulnerabilities and risks to electronic PHI across its entire IT infrastructure that
included all applications, software, databases, servers, workstations, mobile devices and electronic media,
network administration and security devices, and associated business processes, such as those that allowed
an employee to have an unencrypted laptop off-site.
“Two major cornerstones of the HIPAA Rules were overlooked by this entity,” said Jocelyn Samuels, Director of
the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). “Organizations must have
in place compliant business associate agreements as well as an accurate and thorough risk analysis that
addresses their enterprise-wide IT infrastructure.”
In addition to the $1,550,000 payment, under the resolution agreement, North Memorial is required to develop a
robust, organization-wide risk analysis and risk management plan. North Memorial has agreed to complete this
plan within 180 days and will include an inventory of all equipment that stores PHI. North Memorial will also train
appropriate workforce members on all policies and procedures newly developed or revised pursuant to this
corrective action plan. Please click here to view the Resolution Agreement and Corrective Action Plan.
This settlement illustrates OCR’s heightened scrutiny of business associate agreements and third-party vendor
relationships. Last year OCR reached a $3.5 million settlement with Triple-S Management Corp for HIPAA
violations that included not having BAAs with vendors. A company’s PHI safeguards are only as strong as the
safeguards of the vendors with whom the company does business. Covered entities must exercise due diligence
in the selection of third-party vendors, review the vendor’s cyber security and data breach plans, ensure that BAAs
are in place and are being followed, review contractual obligations, and require audits of PHI safeguards. Failure
to do so not only places personal health information at risk, but can also be very costly for companies who are
found to be in breach of their duties.
For further information on the subject matter of this alert, please contact the following FisherBroyles attorneys:
Brian E. Dickerson
brian.dickerson@fisherbroyles.com
202.570.0248
Nicole Hughes Waid
nicole.waid@fisherbroyles.com
202.906.9572
Anthony J. Calamunci
anthony.calamunci@fisherbroyles.com
419.376.1776