Is a stolen laptop packed with medical information on thousands of patients worth paying a $1.55 Million government fine? North Memorial Health Care of Minnesota (“NMHC”) thinks so. It recently agreed to pay $1,550,000 in fines for its “potential” violation of privacy and data security rules imposed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The violation alleged by the Department of Health and Human Services Office for Civil Rights (“OCR”) arose from the theft of a laptop from a locked vehicle owned by a contractor’s employee. The laptop, which was password protected, contained the individually identifiable personal health information (“PHI”) of 9,497 individuals. The contractor also was given access to the PHI of 289,904 individuals while performing its on-site consulting services relating to bill collection and health care operations.

NMHC was cited for not having a Business Associate (“BA”) agreement with the contractor and not conducting an adequate analysis of security threats to the PHI maintained, accessed and transmitted across NMHC’s IT network. There is no indication in the public record that any individual was actually damaged by the claimed data security breach.

A BA agreement is required to impose privacy restrictions on contractors and other third parties who have access to electronic PHI in their dealings with a “covered entity.” Covered entities include most medical service providers such as physicians, hospitals, clinics and medical laboratories. Self-funded group health plans (but not employers) are also covered entities. So, self-funded group health plans (those that are not fully insured) also need to be mindful of entering into BA agreements with their contract administrators (TPAs) and other third parties involved in plan administration.


Lost and stolen laptops have cost hospitals and other medical service providers many millions of dollars in OCR fines. It seems unlikely that such liability can be prevented by physical security measures alone. Covered entities need to consider maintaining PHI in an encrypted format in order to provide an across the board defense to claimed HIPAA violations and associated big dollar OCR files. Password protection by itself will not afford adequate security for electronic PHI.

A properly drafted BA in frequently overlooked by covered entities in their dealings with contract administrators, consultants, collection agencies and others with access to PHI. A BA also can afford the covered entity (medical service provider or self-funded group health plan) additional contract protection in the event of a data breach involving PHI accessed by a contractor/consultant.

An IT security assessment can help not only with HIPAA compliance but also with state laws mandating the confidentiality of personal information. No one wants to pay millions for a lost laptop, but compliance with state law privacy breach notice requirements, providing security monitoring services for affected individuals, and possible civil liability also can prove to be a substantial burden.

Need more encouragement from the OCR? You can follow OCR on Twitter at for updates on its HIPAA enforcement activities.