One Beacon Street
Suite 1320
Boston, MA 02108

T 617.720.5090
F 617.720.5092


One Cedar Street
Suite 300
Providence, RI 02903
T 401.454.0400
F 401.454.0404

March 22, 2016

Failure to execute HIPAA business associate agreement and conduct risk analysis costs health system $1.55M


A Minnesota health care system has agreed to pay the Office of Civil Rights (“OCR”) $1.55 million to settle claims that it violated “[t]wo major cornerstones of the HIPPA Rules” by failing to execute a HIPAA Business Associate Agreement (“BAA”) with a major contractor and failing to conduct a system-wide risk analysis. OCR initiated its investigation into North Memorial Health Care of Minnesota (“North Memorial”) in 2011, after it received a report that an unencrypted laptop was stolen from the vehicle of an employee of Accretive Health (“Accretive”), one of North Memorial’s business associates. The breach affected the electronic protected health information (“ePHI”) of more than 9,000 patients.

According to an OCR press release, the investigation revealed that North Memorial allowed Accretive to access the hospital’s database, including the ePHI of nearly 300,000 patients, without having a BAA in place as required under the Privacy and Security Rules. In addition, OCR discovered that North Memorial had not completed a thorough risk analysis into the potential risks and vulnerabilities of the ePHI maintained by the system as required under the Security Rule. Under its Corrective Action Plan, North Memorial will be required to conduct a system-wide risk analysis and develop a risk management plan, develop policies and procedures regarding business associate relationships, and provide additional training to its workforce.

The OCR reminds covered entities that to avoid violating HIPAA – and the possible sanctions that follow a violation – “[o]rganizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”

The North Memorial Resolution Agreement and Corrective Action Plan can be accessed here.

About the Authors

Robert Blaisdell

Robert Blaisdell is a Boston attorney providing general business and corporate legal services to healthcare clients. You can find him on LinkedIn.

Abbey Coffin

Abbey Coffin is a Boston attorney providing state and federal regulatory guidance and corporate legal services to healthcare providers. You can find her on LinkedIn.


Health Law