HIPAA Business Monitoring
HIPAA Services Menu: Compliance Forms | Risk Analysis | Personnel Training | Business Monitoring
Major HIPAA mistakes: Business Associate Agreements
You can learn a lot from someone else’s mistakes. A HIPAA violation by North Memorial Health Care of Minnesota recently resulted in a $1.55 million settlement due to a 2011 breach by fault of their business associate, Accretive Health. An un-encrypted laptop that contained protected health information for 289,904 individuals was stolen from an Accretive Health employee.
“Two major cornerstones of the HIPAA Rules were overlooked by this entity,” said Director of the Health and Human Services (HHS) Office for Civil Rights (OCR), Jocelyn Samuels. “Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”
Samuels was kind by simply stating to press that North Memorial “overlooked” one essential cornerstones of the HIPAA Security Rule. The penalty levied against North Memorial translates to “willful neglect” and is why they’re forced to pay a hefty $1.55 million settlement. OCR is imposing large fines on ‘willfully’ ignorant organizations that do not complete fundamental compliance requirements like issuing business associate agreements.
What can insurance professionals learn from these mistakes?
If your agency elects to use a shredding company, IT vendor, cloud provider or other subcontractor that has access to PHI (whether electronically or physically), a business associate agreement needs to be signed. It should contain language that requires them to implement appropriate safeguards for protecting client PHI as well as directly complying with the applicable requirements of the HIPAA Security and Privacy Rule.
GRA’s PHI365 service will provide the business associate agreements you need for HIPAA compliance. Contact us to learn more.