State AG Brings First HIPAA Lawsuit Against Business Associate
Last month, I posted how treatment of business associates during HIPAA investigations remains unclear as well as assignment of liability for breaches of PHI. A final "omnibus rule" is expected to clarify the HITECH business associate (and other) provisions this year, but in the meantime, much confusion remains.
Despite the lack of final business associate rules, and confusion or not, Minnesota has dived head first into action against a business associate for HIPAA violations. In the first HIPAA enforcement action directly against a business associate, Minnesota Attorney General Lori Swanson has brought an action against Accretive Health, Inc., pursuant to her authority under HITECH. In addition, multiple violations of Minnesota law are alleged, including the Minnesota Health Records Act, debt collection statutes, and consumer protection laws.
Accretive functions in multiple capacities for covered entities in Minnesota, including as treatment coordinator, debt collector and quality cost control and management partner. A breach last summer of data compiled by Accretive resulting from a stolen unencrypted laptop left in a rental car by an employee affected at least 23,531 patients. Information that was on the laptop included personal identifying information (name, address, phone number, Social Security Number), "medical scores" predicting the frailty, complexity and likelihood a patient would be admitted to the hospital, and dollar amounts allocated to the patient's health care provider, as well as whether patients had certain conditions such as bipolar disorder, depression, high blood pressure, asthma and back pain.
The HIPAA violations are quite extensive, with the complaint alleging:
- failure to implement policies and procedures to prevent, detect, contain and correct security violations;
- failure to implement policies and procedures to ensure appropriate access to electronic PHI by members of its workforce and prevent those without authorized access from accessing such PHI in violation of HIPAA;
- failure to effectively train all members of its workforce, agents and independent contractors, on the policies and procedures regarding PHI as necessary and appropriate to carry out their functions and maintain security of the PHI;
- failure to identify and respond to suspected or known security incidents and mitigate to the extent practiable harmful effects known to them;
- failure to implement policies and procedures to limit physical access;
- faiilure to implement policies and procedures governing receipt and removal of hardware and electronic media containing electronic PHI within and without the facility;
- failure to implement technical policies and procedures for electronic information systems to allow access only to those granted access rights; and
- failure to implement policies and procedures as otherwise required by HIPAA.
Almost more interesting than the alleged HIPAA violations (and what could potentially have been one of the driving forces behind the Attorney General taking action rather than the HIPAA violations), the complaint also alleges deceptive and fraudulent practices in that Accretive failed to disclose how much health information it was collecting on patients and its involvement in their health care, detailing in great length the importance of transparency for patients and the doctor-patient relationship. In the press release, Attorney General Swanson stated,
“Accretive showcases its activities to Wall Street investors but hides them from Minnesota patients. Hospital patients should have at least the same amount of information about Accretive’s extensive role in their health care that Wall Street investors do.”
This action has the potential to set precedent in Minnesota as to just how much transparency and information should be viewed as "necessary" for patients to make informed choices regarding their health care and medical records and the extent to which health care entities must take affirmative action to notify patients of their role in their health care.
Although the extensive HIPAA violations are merely one drop in the bucket of allegations against Accretive (e.g., fraud and deceptive practices, failure to notify of status as debt collector, release of health records in violation of the Minnesota Health Records Act), the enforcement action against Accretive makes it quite clear that covered entities aren't the only ones who need to be scrambling to get their ducks in a row. While other state Attorney Generals have previously brought actions against covered entities (e.g., Vermont, Indiana, Connecticut), now that a state has gone after a business associate directly, it would not come as a surprise to see other states joining in, even despite the lack of business associate rules.
For more information regarding what covered entities and business associates can do to prepare for a HIPAA audit or ward off the potential for enforcement action against them, see our November 17 blog post with links to additional HIPAA resources. A copy of the complaint against Accretive may also be found here.