Here’s an announcement that should have any HIPAA-covered organization sitting straight up! Especially business associates because this is going to affect their agreements with HIPAA covered entities.
From the Office of Civil Rights (OCR): $1.55 million settlement underscores the importance of executing HIPAA business associate agreements.
Here’s their abstract of the settlement:
North Memorial Health Care has agreed to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to implement a business associate agreement with a major contractor and failing to institute an organization-wide risk analysis to address risks and vulnerabilities to its patient information. North Memorial is a comprehensive, not-for-profit health care system in Minnesota that serves the Twin Cities and surrounding communities. The settlement includes a monetary payment of $1,550,000 and a robust corrective action plan.
It all started in 2011 with a stolen laptop from an employee of North Memorial’s business associate, Accretive Health. The laptop was in the employee’s locked car with ~9,500 unencrypted ePHI records on it.
North Memorial is required to complete the following corrective actions:
- Develop Policies and Procedures Related to Business Associate Relationships (90 days from settlement)
- Modify Existing Risk Analysis Process (180 days from settlement)
- Develop and Implement a Risk Management Plan
- Training (60 days from HHS approval of North Memorial’s new policies)
- Promptly File Reportable Events and Annual Reports
Considering only the fine, North Memorial settled with OCR at just over $163 per record. It’s a chilling way for executives to learn a lesson about where cybersecurity should fit in their priorities.
Here’s another angle on this story: The various Pomemon “costs of a data breach” studies sets the amount at about $145 per record. The fine alone exceeds that benchmark. Once all the extra costs are tallied, I wonder what the final cost per record will be?