Here are five things to know.
1. HHS’ Office of Civil Rights began investigating North Memorial Health Care following the report of data breach in September 2011. The breach involved a stolen, unencrypted laptop containing the protected health information of 9,497 individuals.
2. The HIPAA violation charge says the health system failed to enter into a business associate agreement with Accretive Health.
3. The OCR’s investigation uncovered that Accretive was granted access to the health system’s database containing the PHI of 289,904 people and access to non-electronic PHI, without a business associate agreement. Additionally, the health system did not establish an organization-wide risk analysis to address patient information risks and vulnerabilities.
4. “Two major cornerstones of the HIPAA Rules were overlooked by this entity,” said Jocelyn Samuels, director of HHS’ OCR. “Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”
5. In addition the $1.55 million settlement, North Memorial must develop an organization-wide risk analysis and management plan. The health system will also provide training for all staff members affected by the new plan.
More articles on health IT:
A cyber insurance primer: 5 things to know
HHS names members of the Health Care Industry Cybersecurity Task Force
This tech company is hiring the most MBAs
