A recent settlement between a Minnesota hospital system, North Memorial Health Care, and the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), is highly instructive with respect to the liability of CE’s (covered entities), BA’s (business associates) and both the liability and interplay between them. Furthermore, it underscores the fact that although the HIPAA Omnibus Rule is a set of federal regulations, covered entities and business associates face further vulnerabilities because state attorneys general have in effect been deputized to prosecute claims for violations of HIPAA and HITECH.
Now for the story: In March 2011, North Memorial Health Care, a Minnesota hospital system, hired Accretive Health, Inc. to provide revenue cycle operations. In July 2011, an employee of Accretive, left an unencrypted laptop containing PHI in the back seat of a rental car parked in a bar and restaurant district in Minneapolis. The laptop was stolen. For those of you that follow current news about HIPAA breaches, the lost laptop saga and resulting HIPAA breach is all too common. However, it is important to remember that in the old days (2011) the lost laptop, HIPAA breach, need for encryption, and resulting consequences were not as well-known as they are today.
1. In 2012, the Minnesota Attorney General brought an action against Accretive for the HIPAA breach, together with state law claims. The Minnesota Attorney General initiated the civil action pursuant to her authority under HITECH to bring claims on behalf of the state residents for violations of HIPAA. Ultimately, Accretive settled the case with the Minnesota Attorney General for $2.5 million.
This appears to be the first time an action was brought against a business associate under the provisions of HITECH that made business associates directly and statutorily liable for violations of HIPAA.
2. In addition to the Minnesota Attorney General, the Federal Trade Commission brought an action against Accretive asserting that it had inadequate data security. In late 2013, a final consent order was entered which forced Accretive to establish a comprehensive information security program that will be evaluated every two years by a third party for the next 20 years.
3. Furthermore, OCR initiated an investigation of North Memorial Health Care following receipt of the breach report in September 2011. OCR’s investigation found that the hospital system failed to have in place a business associate agreement with Accretive and that it failed to perform a risk analysis to address all potential risks and vulnerabilities. This month, (March 2016) well over four years after OCR received the breach report, North Memorial Health Care agreed to pay a $1.55 million settlement.
It is of particular interest that by the time of Accretive’s breach in 2011, the HIPAA Omnibus Rule had not been issued, therefore, although covered entities had to enter into a BAA (business associate agreement) with its business associates and take certain steps once a breach by the associate occurred, it could not be held directly liable for a breach by its business associate except for the contractual liability created by the BAA. Under the HIPAA Omnibus Rule issued in 2013, a covered entity may be directly liable based on both the stature and contract law.
Therefore, technically, North Memorial Health Care could not be held directly liable for the 2011 breach by its BA, Accretive. Nevertheless, by sheer virtue of the fact that the hospital system did not enter into a business BAA with Accretive and/or have a risk analysis, they will pay $1.55 million.
Post 2013, a CE may be held directly liable for breaches by its BA’s, in addition to liability for any other failure, including lack of risk analysis or business associate agreements.
In closing, we are not living in the olden days when HIPAA compliance was viewed as abstract, theoretical or aspirational- we have come a long way from 2011. But, the reality is that:
Many CE’s and their respective BA’s do not recognize the ever increasing resources that the government is devoting to HIPAA audits and compliance, and the ease of any patient or whistleblower to report a breach. Let’s face it, we live in a digital world, and there are almost daily news reports of data breaches.
CE’s and BA’s are not enclosed in a protected zone or cocoon; much to the contrary, healthcare information is of great value to computer hackers or a wrongdoer that finds a lost laptop.
The importance of conducting a proper and robust risk analysis and entering into business associate agreements is ever increasing. If nothing else this case indicates that separate and apart from the liability of a data breach, CE’s and/or BA’s can be fined for failure to have a risk analysis or proper BAA’s.
There are numerous governmental agencies that can enforce HIPAA, HITECH and state statutes and regulations.
DISCLAIMER – This post and the analysis submitted are not a legal conclusion and should not be construed as such but are presented for discussion and informational purposes.
I am not admitted to practice in the state of Texas, I am not certain that my analysis is correct under Texas law, and invite any practitioners who disagree with my analysis to comment and explain why this analysis is incorrect. As always, legal advice and training should be obtained from licensed professionals within the jurisdiction. This post and the analysis submitted are not legal conclusions and should not be construed as such but are presented for discussion and informational purposes.
About Mendel Zilberberg:
An attorney, visionary and entrepreneur admitted to practice in New York, New Jersey and Florida who has represented and counseled clients with nationwide interests in many areas of the healthcare arena.
MZ blog : www.stateofthought.com
The use of ePHI is growing exponentially, the likelihood of a breach is ever increasing, and the regulating authorities are ramping up their audit/enforcement programs. Covered Entities (CE) and Business Entities (BA) must understand the importance of maintaining the integrity of ePHI, compliance with the relevant regulations as well as thoroughly understand the potential consequences for non-compliance.