OCR just announced another huge settlement. The $1.5 million settlement with North Memorial Health Care is based on the alleged failure to enter into a business associate agreement and alleged failure to conduct a risk analysis. The investigation started (as many OCR settlements often do) after OCR received a breach report regarding a stolen laptop from North Memorial. That report indicated the laptop belonged to a workforce member of North Memorial’s Business Associate, Accretive Health. Like most recent settlements, OCR highlighted the need to conduct a risk analysis, but this is the first settlement that has focused on the lack of a business associate agreement.
The press release and resolution agreement are available at: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/north-memorial-health-care/index.html