HIPAA Violations, What Can You Learn from People’s Mistakes
A HIPAA violation by North Memorial Health Care of Minnesota recently resulted in a $1.55 million settlement due to a 2011 breach by fault of their business associate, Accretive Health. An unencrypted laptop that contained protected health information for 289,904 individuals was stolen from an Accretive Health employee.
“Two major cornerstones of the HIPAA Rules were overlooked by this entity,” said Director of the Health and Human Services (HHS) Office for Civil Rights (OCR), Jocelyn Samuels. “Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”
Samuels was kind by simply stating to press that North Memorial “overlooked” two essential cornerstones of the HIPAA Security Rule. The penalty levied against North Memorial translates to “willful neglect” and is why they’re forced to pay a hefty $1.55 million settlement. 
OCR is imposing large fines on ‘willfully’ ignorant organizations that do not complete fundamental compliance requirements like issuing business associate agreements and performing risk analysis.
What can insurance professionals learn from these mistakes?
Your HIPAA compliance checklist at a minimum should contain these items:
- Shredding company, IT vendor, cloud provider or other subcontractor that has access to PHI (whether electronically or physically), a business associate agreement needs to be signed.
- The other major flaw with many insurance professionals, is not performing a HIPAA Risk Analysis to assess the risks to your agency’s client’s protected health information.
GRA’s PHI365 service will determine proper HIPAA compliance protocol with your business associates, perform an risk analysis, and provide the agreement templates needed for HIPAA compliance.