A Minnesota provider will pay $1.55 million to settle HIPAA violation charges relating to the lack of a business associate agreement.

The Department of Health and Human Services' Office of Civil Rights began investigating North Memorial Health Care, based in Robbinsdale, when the organization reported a data breach in September 2011. A stolen, unencrypted laptop contained the protected health information of 9,497 individuals.

The HIPAA violation charge says the health system failed to enter into a business associate agreement with Accretive Health, which was granted access to the organization's patient database containing the protected health information of 289,904 people.

North Memorial also didn't conduct a risk analysis to assess vulnerabilities of its patient data.

"Two major cornerstones of the HIPAA rules were overlooked by this entity," said Jocelyn Samuels, director of HHS' OCR. "Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure."

North Memorial must develop an organization-wide risk analysis and management plan train all staff affected by the new plan.