On March 16, 2016, HHS issued a resolution agreement and related press release announcing a settlement with a nonprofit health care provider in Minnesota (serving the Twin Cities), a HIPAA covered entity, for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy and security rules (see Practice Notes, HIPAA Privacy Rule and HIPAA Security Rule). (For a second settlement, involving a $3.9 million HIPAA settlement resulting from a stolen unencrypted laptop, see Practical Impact.)

HHS began its investigation after the provider submitted a breach notification to the government involving the theft of an unencrypted laptop containing electronic protected health information (ePHI) from the locked vehicle of one of the provider's major contractors (see Practice Notes, HIPAA Breach Notification Rules for Group Health Plans and HIPAA Enforcement and Group Health Plans: Penalties and Investigations, and the HIPAA Privacy, Security, and Breach Notification Toolkit). The provider will pay $1,550,000 to settle the potential violations and must adopt a corrective action plan (CAP) that includes developing an organization-wide risk analysis and risk management plan.

According to HHS, the provider's breach report indicated that the electronic PHI of nearly 9,500 individuals was accessed when a password-protected but unencrypted laptop was stolen from the locked vehicle of an employee of the provider's contractor. At the time of the breach, the provider and the contractor had not yet entered into a BA agreement, though they did so a few months after the theft (see Standard Document, HIPAA Business Associate Agreement). As a result, at the time of the theft, the provider had made available access to its database, which stored the electronic PHI of nearly 290,000 individuals, without obtaining satisfactory assurances from its contractor under a BA agreement that the provider's PHI would be protected. According to HHS, the provider also failed to conduct a thorough risk analysis that incorporated all of its technology equipment, applications, and data systems using electronic PHI.

Under its resolution agreement with HHS, in addition to the $1,550,000 payment, the provider must:

The CAP requires the provider to develop policies and procedures related to its BA relationships, including:

The CAP also requires the provider to:

Additionally, the provider must:

This settlement is but the latest in a steady drumbeat of expensive (and public) resolution agreements between HHS and HIPAA covered entities, including several within the past few months. Just a day after this settlement, in fact, HHS announced a $3.9 million settlement with a research institute, which also involved the theft of an unencrypted laptop computer containing individuals' ePHI from an employee's car.

Although HIPAA's BA agreement provisions have been in place for many years (see Standard Document, HIPAA Business Associate Agreement), the requirement regarding enterprise-wide risk analyses is a more recent focus of the agency's aggressive enforcement activities (see Legal Updates, Malicious Malware Leads to $750,000 HIPAA Settlement, $3.5 Million HIPAA Settlement Highlights Need for Training and Stolen Laptop Bag Leads to $750,000 HIPAA Settlement). An entity's risk analysis should therefore address all facets of its IT infrastructure, including software, servers, databases, and workstations – and laptops, the portable technology at the center of so many recent settlement agreements.