HHS and Healthcare Providers Reach Settlements After Alleged HIPAA Violations

The providers reportedly failed to have business associate agreements, including an agreement with a debt collector, in place to protect patients’ private health information.

The U.S. Department of Health and Human Services and two healthcare companies recently reached settlement agreements as a result of alleged violations of the Health Insurance Portability and Accountability Act (HIPAA), issues related to data security practices and proper agreements with business associates.

North Memorial Health Care of Minnesota agreed to pay $1.55 million to settle charges that it potentially violated HIPAA by “failing to enter into a business associate agreement with a major contractor and failing to institute an organization-wide risk analysis to address the risks and vulnerabilities to its patient information,” according to a news release from HHS.

North Memoria Health Care provided its business associate, Accretive Health, Inc., a third-party debt collector based in Chicago, with access to the hospital database and protected health information for 289,904 patients. The company also had access to non-electronic protected health records when they performed services on site at North Memorial, according to HHS.

North Memorial reported one of its business associate’s laptops, containing protected health information, was stolen from a locked vehicle in 2011, according to HHS. The HHS Office for Civil Rights started an investigation into the hospitals security practices after the theft and found that “North Memorial failed to have in place a business associate agreement, as required under the HIPAA Privacy and Security Rules, so that the business associate could perform certain payment and healthcare operations activities on its behalf.”

In addition to the $1.55 million settlement payment, North Memorial is required to develop a risk analysis and risk management plan program throughout its organization, as required under the HIPAA Privacy and Security Rules, according to HHS. The hospital is also required to train appropriate employees on all policies and procedures developed or revised in its corrective action plan as part of the settlement.

Business associate agreements and added data security steps are important for healthcare providers and their partners to have in place in order to protect patients’ private health information and ensure compliance with HIPAA, ACA International previously reported in Collector magazine.

Debt collection companies working with healthcare clients have an added layer of security they need to provide under the Health Information Technology for Economic and Clinical Health (HITECH) Act to ensure compliance with HIPAA.

“HIPAA changed pretty significantly about two years ago … and one of the important changes is that [business associates] are directly liable for HIPAA violations,” said Adam Bullian, COO of QIP Solutions in the Collector article.

HHS also reached a separate settlement agreement this month with Feinstein Institute for Medical Research after the company potentially violated the HIPAA Privacy and Security rules. A laptop with protected health information was also stolen from an employee’s car, resulting in an investigation by the Office for Civil Rights. They found that Feinstein’s security management process was limited in scope, incomplete and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity, and availability of protected health information it had, according to HHS.  Feinstein also lacked policies and procedures for authorizing access to protected health information by its employees.

“Research institutions subject to HIPAA must be held to the same compliance standards as all other HIPAA-covered entities,” said Office for Civil Rights Director Jocelyn Samuel in a HHS news release.  “For individuals to trust in the research process and for patients to trust in those institutions, they must have some assurance that their information is kept private and secure.” 

It can be costly to invest in resources to secure protected health information and your organization’s technology, but the expense of a data breach is even greater.

The best way to mitigate risks, limit the impact of a data breach and prepare for a HIPAA compliance audit is to be ahead of the game on all fronts.

“It’s going to reduce your costs because you have a process,” said Robert Zimmerman, managing partner of QIP Solutions in Collector. “It’s definitely the first step toward HIPAA compliance.”