OCR uses latest resolution agreement to emphasize requirement to enter into business associate agreements prior to providing access to PHI

March 17, 2016

Health Care Alert

Author(s): Laurie T. Cohen, Valerie Breslin Montague

Office for Civil Rights (OCR) recently fined a nonprofit health care system $1.55 million after an investigation stemming from a vendor data breach. This alert highlights key enforcement trends applicable to HIPAA-regulated entities.

In its latest resolution agreement, OCR has fined North Memorial Health Care (North Memorial), a nonprofit health care system in Minnesota, $1.55 million for failing to enter into a business associate agreement with a vendor and also failing to conduct a comprehensive risk analysis of its IT infrastructure.

Like many other OCR resolutions, this most recent resolution resulted from an investigation that was commenced by OCR after it received a notice of a breach from North Memorial in September 2011. Of particular note, the breach involved an unencrypted laptop stolen from a locked car. The laptop, owned by a vendor with whom North Memorial had contracted, contained the protected health information (PHI) of almost 10,000 North Memorial patients. In addition to the reported breach, OCR found that North Memorial had provided the vendor access to the PHI of at least 289,904 patients prior to entering into a business associate agreement with the vendor. In fact, the parties did not execute a business associate agreement until almost a month after the breach occurred.

Although the breach originated with a vendor[1] whose employee’s unencrypted laptop was stolen, OCR held North Memorial responsible for the breach, concluding that North Memorial had failed to obtain “reasonable assurances” that the vendor[2] would safeguard the PHI to which it was given access. OCR also found that North Memorial failed to conduct “an accurate and thorough risk analysis” of its IT equipment, applications and data systems. It is important to note that, had the breach occurred after the 2013 regulations that implemented the HITECH Act’s grant of authority to OCR to directly regulate business associates, OCR likely would have pursued an enforcement action against North Memorial’s vendor as well.

In addition to the hefty fine that was imposed, North Memorial entered into a corrective action plan (CAP) that requires the health system to 1) adopt policies and procedures addressing its process for negotiating and managing its business associate agreements, 2) expand its risk analysis to include its entire IT infrastructure, 3) develop an organization-wide risk management plan and 4) conduct employee training.

The North Memorial Resolution Agreement is very instructive for other health care providers and organizations with regard to business associate arrangements. Many covered entities take a prophylactic approach when managing their business associate agreements by sending such agreements to all of their vendors regardless of whether the vendors will be given access to PHI. The North Memorial Resolution Agreement, however, suggests that OCR expects covered entities to have a more deliberate process to assess who is and who is not a business associate.

In addition, health care providers should consider whether they have 1) designated individual(s) within their organization who are authorized to enter into business associate agreements, 2) a process in place to ensure that a business associate is not provided access to PHI prior to signing a business associate agreement and 3) a process to limit disclosures of PHI to the “minimum necessary” for a business associate to perform its duties.

A copy of the Resolution Agreement can be found here.

  1. The vendor, Accretive Health, Inc., entered into a settlement agreement with the Minnesota Attorney General in July 2012 pursuant to which it paid a $2.5 million fine. The Minnesota Attorney General had alleged that Accretive violated state and federal health privacy laws, state debt collection laws and state consumer protection laws.
    [Back to reference]
  2. Accretive Health, Inc. also entered into a settlement agreement with the Federal Trade Commission in December 2013, which requires it to establish a comprehensive information security program designed to protect consumers’ sensitive personal health information.
    [Back to reference]

The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.

Back to top