As shocking as it may be, in this day and age there are still many hospitals and medical-related businesses that have not made sufficient risk assessments relating to patients’ protected health information (“PHI”) and their third party vendors that have access to this information. This is pertinent to large organizations such as hospitals, smaller organizations like a physician or dental office, and the third party vendors that work with these types of entities (for example- IT and copy repair companies or cleaning services). Last week, a resolution agreement between the United States Department of Health and Human Services Office for Civil Rights (“OCR”) and North Memorial Healthcare proved that this issue is still extremely relevant and potentially costly. In this instance, North Memorial self-reported to OCR that an unencrypted laptop containing the PHI of approximately 10,000 individuals was stolen from its third party vendor.
Unbelievably, there was no business associate agreement between the hospital and its vendor. At the conclusion of its investigation, North Memorial agreed to pay 1.55 million dollars to resolve allegations that it violated HIPPA and agreed to enter into a robust compliance program relating how it would enter into business associate agreements (“BAA”) going forward. If you are interested in reading a copy of the actual Resolution Agreement, please click here.
Before addressing what North Memorial agreed to do going forward, understand that, North Memorial, as a “covered entity,” was required to take certain steps to protect PHI under HIPPA and to report any breach of this obligation directly to OCR. OCR is the governmental agency in charge of enforcing the rules and regulations surrounding the privacy of individually identifiable health information and has the authority to conduct compliance reviews and investigations of complaints alleging violations of HIPPA rules generally.