HIPAA business associate agreements are required by law

HIPAA Business Associate Agreements are Required by Law - Paubox

As we’ve previously covered, a Business Associate Agreement (BAA) is a written contract between a Covered Entity (CE) and a Business Associate (BA). It is required for HIPAA compliance. In fact, a Covered Entity in Minnesota recently agreed to a $1.55 million fine for not having a BAA in place with one of its Business Associates.

North Memorial Health Care of Minnesota has agreed to pay $1.55M to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to implement a Business Associate Agreement with a major contractor. It also failed to conduct an organization-wide risk analysis to address the risks and vulnerabilities to its patient information.

“Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure” said Jocelyn Samuels, Director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).

OCR began its investigation of North Memorial following receipt of a breach report on 27 September 2011, which indicated that an unencrypted, password-protected laptop was stolen from a Business Associate’s workforce member’s car. This stolen laptop impacted the electronic protected health information (ePHI) of 9,497 individuals.

In this case, the laptop was stolen from a Business Associate’s car, not from an employee of North Memorial. As we’ve covered before, stolen laptops continue to be a cause of immense HIPAA fines.

OCR’s investigation uncovered that North Memorial failed to have in place a BAA, as required under the HIPAA Privacy and Security Rules. North Memorial gave its Business Associate, Accretive Health, access to North Memorial’s hospital database, which stored the ePHI of 289,904 patients. Accretive Health also received access to non-electronic protected health information as it performed services on-site at North Memorial.

This isn’t the first time Accretive Health has seen bad press in Minnesota. In 2012, it agreed to pay a $2.5M fine and leave the state as part of a settlement of a federal lawsuit brought by state Attorney General Lori Swanson.

As for North Memorial, the investigation further determined that it failed to complete a risk analysis to address all of the potential risks and vulnerabilities to the ePHI that it maintained, accessed, or transmitted. The scope of the risk analysis must be across its entire IT infrastructure.

In addition to the $1.55M fine, North Memorial is required to develop an organization-wide risk analysis and risk management plan. More information can be found on the HHS website.

About North Memorial Health Care of Minnesota
North Memorial is a comprehensive, not-for-profit health care system in Minnesota that serves the Twin Cities and surrounding communities.

SEE ALSO: Free Windows Encryption tools for HIPAA Compliance

SEE ALSO: Free Disk Encryption for Mac OS

Try Paubox Email Suite for FREE today.

About the author

Hoala Greevy

Founder CEO Paubox. Kayak fishing when I can.

Read more by Hoala Greevy

Get started with
end-to-end protection

Bolster your organization's security with state-of-the-art email encryption and inbound email security.

Highest rated HIPAA compliant messaging solution on G2

EmailEncryption BestMeetsRequirements MeetsRequirements
SecureEmailGateway MostImplementable Total
SecureEmailGateway Leader Leader
SecureEmailGateway EasiestToUse EaseOfUse
SecureEmailGateway EasiestAdmin EaseOfAdmin
SecureEmailGateway BestUsability Total
SecureEmailGateway BestResults Total
SecureEmailGateway BestRelationship Total
EmailEncryption UsersMostLikelyToRecommend Nps
EmailEncryption MomentumLeader Leader
SecureEmailGateway BestSupport Mid Market QualityOfSupport
EmailEncryption BestMeetsRequirements MeetsRequirements
SecureEmailGateway MostImplementable Total
SecureEmailGateway Leader Leader
SecureEmailGateway EasiestToUse EaseOfUse
SecureEmailGateway EasiestAdmin EaseOfAdmin
SecureEmailGateway BestUsability Total
SecureEmailGateway BestResults Total
SecureEmailGateway BestRelationship Total
EmailEncryption UsersMostLikelyToRecommend Nps
EmailEncryption MomentumLeader Leader
SecureEmailGateway BestSupport Mid Market QualityOfSupport