HIPAA Enforcement: Why a Business Associate Agreement is Critical

HIPAA Enforcement: Why a Business Associate Agreement is Critical

Laptop theft is one of the most common causes of patient information breaches and it is growing more expensive for HIPAA-Covered entities as federal regulators crack down hard.

Already this year, laptop thefts were central to two multi-million settlements with the Office of Civil Rights:

  • $1.55MM settlement – North Memorial Health Care – Robbinsdale, Minnesota

A laptop was stolen from a business associate’s locked car in 1997.  It affected the protected health information of 9,497 patients.  There was no BAA in place with the business associate.  The hospital neglected to conduct a risk assessment as required by the HIPAA Security Rule.

In addition to the $1.55MM payment, the hospital is required to develop an organization-wide risk analysis and risk management plan, as required under the Security Rule.  North Memorial will also train appropriate workforce members on all policies and procedures, newly developed or revised, pursuant to this corrective action plan.

  • $3.9MM Settlement – Feinstein Institute for Medical Research, Manhasset, NY

A laptop was stolen from an employee’s car.  Approximately 13,000 patients’ and research participants’ PHI was affected.  OCR alleged that the Institute’s security process was limited in scope, incomplete, and insufficient to address potential risks and vulnerabilities to PHI.  OCR also found that the Institute did not maintain adequate HIPAA security policies and procedures.

  • $750,000 Settlement – Raleigh Orthopaedic Clinic – North Carolina

A failure to execute a BAA prior to turning over PHI (x-rays and documentation) of 17,300 to a potential business partner.  Raleigh Orthopaedic is a provider group practice that operates clinics and an orthopaedic surgery center in the Raleigh, North Carolina area.  The settlement includes a monetary payment of $750,000 and a robust corrective action plan.


This is a reprint of an article written by Dena Feldman of Covington and Burling LLP’s Washington DC office.  It was originally found in the Summer 2016 edition of Security Shredding News magazine.


Post A Comment

Your email address will not be published. Required fields are marked *