Here’s an announce­ment that should have any HIPAA-cov­ered orga­ni­za­tion sit­ting straight up! Espe­cial­ly busi­ness asso­ciates because this is going to affect their agree­ments with HIPAA cov­ered enti­ties.

From the Office of Civ­il Rights (OCR): $1.55 mil­lion set­tle­ment under­scores the impor­tance of exe­cut­ing HIPAA busi­ness asso­ciate agree­ments.

Here’s their abstract of the set­tle­ment:

North Memo­r­i­al Health Care has agreed to set­tle charges that it poten­tial­ly vio­lat­ed the Health Insur­ance Porta­bil­i­ty and Account­abil­i­ty Act of 1996 (HIPAA) Pri­va­cy and Secu­ri­ty Rules by fail­ing to imple­ment a busi­ness asso­ciate agree­ment with a major con­trac­tor and fail­ing to insti­tute an orga­ni­za­tion-wide risk analy­sis to address risks and vul­ner­a­bil­i­ties to its patient infor­ma­tion. North Memo­r­i­al is a com­pre­hen­sive, not-for-prof­it health care sys­tem in Min­neso­ta that serves the Twin Cities and sur­round­ing com­mu­ni­ties. The set­tle­ment includes a mon­e­tary pay­ment of $1,550,000 and a robust cor­rec­tive action plan.

It all start­ed in 2011 with a stolen lap­top from an employ­ee of North Memo­ri­al’s busi­ness asso­ciate, Accre­tive Health. The lap­top was in the employ­ee’s locked car with ~9,500 unen­crypt­ed ePHI records on it.

North Memo­r­i­al is required to com­plete the fol­low­ing cor­rec­tive actions:

• Devel­op Poli­cies and Pro­ce­dures Relat­ed to Busi­ness Asso­ciate Rela­tion­ships (90 days from set­tle­ment)
• Mod­i­fy Exist­ing Risk Analy­sis Process (180 days from set­tle­ment)
• Devel­op and Imple­ment a Risk Man­age­ment Plan
• Train­ing (60 days from HHS approval of North Memo­ri­al’s new poli­cies)
• Prompt­ly File Reportable Events and Annu­al Reports

Con­sid­er­ing only the fine, North Memo­r­i­al set­tled with OCR at just over $163 per record. It’s a chill­ing way for exec­u­tives to learn a les­son about where cyber­se­cu­ri­ty should fit in their pri­or­i­ties.

Here’s anoth­er angle on this sto­ry: The var­i­ous Pomem­on “costs of a data breach” stud­ies sets the amount at about $145 per record. The fine alone exceeds that bench­mark. Once all the extra costs are tal­lied, I won­der what the final cost per record will be?