Provider Faces $1.55 Million Penalty for BA's BreachLack of BA Agreement, Risk Assessment Cited in OCR Settlement
Federal regulators have imposed a $1.55 million penalty on a Minnesota healthcare system as part of a settlement following an investigation of a business associate's breach involving a stolen laptop. North Memorial Healthcare's business associate, Accretive Health, already has been sanctioned by two other government entities for the same 2011 incident.
The Department of Health and Human Services' Office for Civil Rights, in a March 16 statement, says the resolution agreement with North Memorial Healthcare, which also includes a corrective action plan, highlights that the provider organization lacked a HIPAA-required business associate agreement with the vendor, which had access to protected health information. Plus, the provider had not conducted a timely, enterprisewide risk analysis - another HIPAA requirement.
North Memorial is a not-for-profit healthcare system that serves Minneapolis-St. Paul and surrounding Minnesota communities.
Privacy attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek, says it's crucial that healthcare organizations develop a vendor management program "that can scrutinize each time that a vendor or contractor is being sought to evaluate if the service provider will be receiving, maintaining or creating protected health information so that the business associate agreement required by the HIPAA standards will be in place."
A strong vendor management program also actively evaluates and audits business associates' security to ensure they have appropriate information security safeguards in place, he adds. "Some suggestions include sending out a questionnaire prompting questions such as, 'When was the date of your last risk assessment? When were your privacy and security policies last updated? What was the date of your last workforce HIPAA compliance training?'" he says.
The Breach Investigation
OCR says it initiated its investigation of North Memorial following receipt of a breach report in September 2011, which indicated that an unencrypted laptop was stolen from a locked vehicle of an employee of Accretive Health, a Chicago-based business associate providing billing and collections services to the healthcare organization.
The stolen laptop contained electronic protected health information for about 23,000 individuals, including about 9,500 North Memorial patients.
The other PHI on the stolen Accretive Health laptop was for patients of Minnesota-based Fairview Health System.
OCR declined to comment about whether any potential enforcement actions are planned against Fairview for the same breach. "As a matter of policy, the HHS OCR does not comment on current or potential investigations," an OCR spokeswoman tells Information Security Media Group.
Business Associate Enforcement Actions
Business associates did not become directly liable for HIPAA compliance until the HIPAA Omnibus Rule went into effect in 2012, about a year after the North Memorial breach.
However, Accretive Health, the business associate involved with the North Memorial breach, has been sanctioned by the Minnesota's state attorney general's office and the Federal Trade Commission for its data security practices leading to the incident.
In July 2012, Accretive Health agreed to pay $2.5 million to settle a lawsuit filed by Minnesota Attorney General Lori Swanson following the July 2011 data breach affecting North Memorial and Fairview Health patients.
The state's lawsuit, which dealt with the firm's collection practices as well as the breach incident, alleged violations of federal and state health privacy laws as well as state debt collection and consumer protection laws. As part of the settlement, the company also agreed to stop doing business in Minnesota for two years.
Then in 2014, Accretive agreed to a settlement with the FTC, which alleged in a complaint that the company failed to provide reasonable and appropriate security measures and procedures to protect consumers' personal information, contributing to the breach.
While the FTC settlement did not include a monetary penalty, Accretive agreed to a number of corrective actions designed to establish a comprehensive security program to protect consumers' personal information. The settlement, which is in force for 20 years, also includes Accretive agreeing to have its program evaluated every two years by a certified third party.
OCR Director Jocelyn Samuels says in a statement that the office's investigation found that "two major cornerstones" of HIPAA were overlooked by North Memorial. "Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprisewide IT infrastructure."
In its investigation, OCR discovered that North Memorial failed to have in place a business associate agreement pertaining to the vendor performing certain payment and healthcare operations activities on its behalf. "North Memorial gave its business associate, Accretive, access to North Memorial's hospital database, which stored the ePHI of 289,904 patients. Accretive also received access to non-electronic PHI as it performed services on site at North Memorial," OCR says.
The investigation further determined that North Memorial failed to complete a risk analysis to address all of the potential risks and vulnerabilities to the ePHI that it maintained, accessed or transmitted across its entire IT infrastructure - including all applications; software; databases; servers; workstations; mobile devices and electronic media; network administration and security devices; and associated business processes, OCR says.
In a statement to ISMG, North Memorial says, "The privacy of our customers' health information is a top priority. ... We hold all of our team members to the highest standard when it comes to dealing with information involving our customers. It is unfortunate that one of our vendors failed to meet that expectation in 2011. We no longer have a relationship with this vendor, and there has never been any indication that any of the information on the vendor's laptop was ever accessed or used inappropriately. Since this incident five years ago, we have revised our security risk analysis and further strengthened our processes. In addition, North Memorial Health Care continues to provide ongoing training in privacy and security, including HIPAA education."
As part of its settlement with OCR, the healthcare provider has agreed to a corrective action plan that includes:
- Developing policies and procedures related to business associate relationships;
- Modifying its existing risk analysis process so that it is updated, comprehensive and thorough;
- Developing an enterprisewide risk management plan to address and mitigate any security risks and vulnerabilities identified in the risk analysis and, if necessary, revise its policies and procedures accordingly;
- Developing and providing a security and privacy training program including information regarding business associates to all appropriate workforce members.
Privacy attorney Kirk Nahra of the law firm Wiley Rein says it's only a matter of time before OCR begins sanctioning business associates for their HIPAA compliance violations.
"This incident affected behavior from a business associate before the time period when OCR had formal authority over business associates. Now, business associates - with or without a business associate agreement - are subject to enforcement," he says. "HHS has not yet taken action against a business associate, and will have some real challenges as to how to apply HIPAA's rules, particularly the security rule, to the vast array of business associates that exist."
The HIPAA Security Rule treats every business associate with access to PHI the same as a hospital or a health insurer, Nahra notes. "HHS will face challenges in approaching enforcement in this area, but, to date, HHS has proved reasonable and effective in managing these enforcement challenges," he adds.
Weak Risk Analysis
OCR's settlement with North Memorial also reflects an ongoing issue about a failure to perform an "appropriate" risk assessment, Nahra notes. "OCR has been stating this consistently and aggressively - that executing an effective risk assessment program is the foundation for an effective and appropriate HIPAA security program."
In fact, many of 30 resolution agreements that OCR has signed with other covered entities since 2008 have focused on the failure to conduct comprehensive and timely risk analysis.
"I no longer accept the argument that performing a risk analysis of a healthcare program's or technology service provider's information systems is beyond the reach of any organization," Holtzman says. "Unfortunately, many organizations are blissfully unaware of their HIPAA responsibilities and have done very little in the way of privacy and security. Others are just unwilling to take the steps needed to get with the program. Perhaps the negative consequences of failing to conduct a thorough risk analysis will be a motivator."