North Memorial Health Care is paying $1.55 million to settle charges that it violated federal health privacy law in connection with the 2011 theft of a laptop computer that contained patient data.
In the settlement announced this week, the U.S. Department of Health and Human Services alleged that North Memorial failed to create a "business associate" agreement with an outside vendor as required by law, and failed to institute an organization-wide risk analysis to address risks to patient information.
Robbinsdale-based North Memorial did not admit liability in the case. In a Thursday statement, the hospital said there's never been an indication that information on the computer was ever accessed or used inappropriately.
The laptop was stolen from the locked car of an employee at Accretive Health, a Chicago-based vendor that subsequently was the subject of a blistering report from Attorney General Lori Swanson that alleged aggressive bill collection practices at Fairview Health Services.
"Two major cornerstones of the [privacy] rules were overlooked," said Jocelyn Samuels, director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights, in a statement. "Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprisewide IT infrastructure."
When the privacy breach was first reported in September 2011, the password-protected laptop was said to contain private information on about 14,000 patients at Fairview and 2,800 patients at North Memorial. The laptop had been left in a car parked outside a Minneapolis restaurant, and the patient data was not encrypted.
In documents released this week, HHS said the theft impacted the electronic protected health information of 9,497 individuals at North Memorial. The government said its investigation appeared to show that North Memorial and Accretive Health lacked a business associate agreement that's required under federal health privacy law.
"North Memorial provided Accretive, a business associate, with access to North Memorial's protected health information (PHI) without obtaining satisfactory assurances … that Accretive would appropriately safeguard the PHI," the government said in a resolution agreement posted on an HHS website.
Accretive Health did not respond Thursday to requests for comment.
In its statement, North Memorial said the privacy of patients' health information is a top priority. In the years since the incident, North Memorial said it has revised its security risk analysis and improved privacy processes and training.
"We hold all of our team members to the highest standard when it comes to dealing with information involving our customers," North Memorial said. "It is unfortunate that one of our vendors failed to meet that expectation in 2011. We no longer have a relationship with this vendor."
In addition to the $1.55 million payment, North Memorial must develop an organization-wide risk analysis and risk management plan, according to HHS. The hospital also must implement a corrective action plan, and train workers on related policies and procedures.
After patients at Fairview and North Memorial were notified in September 2011 about the stolen computer, Swanson filed a lawsuit in January 2012 saying Accretive Health violated health privacy laws and state consumer protections.
"Our lawsuit alleged that Accretive Health and North Memorial had no business associate agreement in place to protect patient privacy, and that the two parties only concocted one after our office asked for a copy of it," Swanson said Thursday in a statement. "They gave the agreement a retroactive date to make us believe that it always existed. This was very troubling, and why we referred our lawsuit and our findings to the federal government."
Swanson's office said Thursday that Fairview and Accretive Health had a written business associate agreement in place, and that Fairview did not try to mislead the attorney general's office about its agreements with vendor.
In April 2012, Swanson released a voluminous report alleging a collections strategy developed by Accretive and implemented at Fairview that included high-pressure tactics in emergency rooms, cancer units and delivery wards. Accretive accused Swanson of grossly distorting its practices, but ultimately agreed to a settlement that included a $2.5 million payment to the state as part of a restitution fund.