Minnesota Attorney General Reaches First Settlement With Business Associate Under HITECH Act

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.mondaq.com/unitedstates/x/191184/Healthcare/Minnesota+Attorney+General+Reaches+First+Settlement+With+Business+Associate+Under+HITECH+Act

On July 30, 2012, Minnesota Attorney General Lori Swanson announced a
settlement agreement with Accretive Health (Accretive) resolving a
lawsuit filed against Accretive in January 2012. The settlement
requires Accretive to stop doing business in Minnesota for two years
and to pay approximately $2.5 million to the State of Minnesota, a
portion of which will be used to compensate patients.

The lawsuit alleged that Accretive violated several provisions of the
Health Insurance Portability and Accountability Act of 1996 (HIPAA),
as modified by the Health Information Technology for Economic and
Clinical Health (HITECH), as well as other state and federal laws. The
case is significant because it represents the first enforcement action
against a business associate under the new provisions of HITECH that
makes business associates directly liable (rather than only
contractually liable) for violations of HIPAA and, in particular, for
breaches of Protected Health Information (PHI). (Although the attorney
general alleged in the alternative that Accretive was a covered
entity, it relied primarily on its status as a business associate.)
The case also illustrates aggressive use of the enforcement authority
granted by HITECH to state attorneys general.
Swanson's Compliant Against Accretive Initially Focused on Violation
of Federal Privacy Law

Accretive is a company for which the stated goal is to strengthen the
financial position of health care providers. It contracts with
hospitals to manage their revenue cycles and cut the cost of patient
care. In the course of fulfilling its contractual obligations,
Accretive gains access to the PHI of hospital patients and, as a
business associate of covered entities, must comply with the HIPAA
security provisions and certain privacy provisions.

In July 2011, a laptop was stolen from the rental car of an Accretive
employee. Swanson alleged that the laptop was unencrypted and
contained sensitive data on more than 23,000 patients. She further
alleged that Accretive violated federal security laws by failing to
encrypt electronic PHI (ePHI) on laptops, allowing employees to take
the laptops containing ePHI out of hospital facilities, failing to
effectively train its workforce members to maintain the security of
PHI, and failing to identify and respond to the theft of PHI, among
other violations.

In June 2012, Swanson amended her complaint to add that Accretive
failed to execute a business associate agreement before receiving PHI,
failed to implement security safeguards that could have protected the
theft of the PHI, and gave its employees information that exceeds the
minimum necessary information needed to perform their jobs. The case
gained national prominence when Swanson added myriad allegations that
Accretive violated several Minnesota state laws by, for example,
engaging in deceptive, abusive, and aggressive collection practices.

State Attorney Used New Enforcement Authority and Business Associate
Requirements Enacted Under HITECH

Pursuant to HITECH, business associates like Accretive are responsible
for employing appropriate administrative, physical, and technical
safeguards established under the HIPAA security rule and promptly
reporting breaches of PHI to covered entities, to allow for the
notification of individuals and the mitigation of any risk to
individuals resulting from such breaches. Business associates also are
responsible for complying with the minimum necessary standards set
forth in HITECH.

HITECH also expanded the enforcement of HIPAA by granting authority to
state attorneys general to bring civil actions and obtain damages on
behalf of state residents for violations of HIPAA. In 2011, the Office
for Civil Rights provided five regional training sessions to assist
state attorneys general and their staff to implement this new
authority.

Practical Advice for Covered Entities and Business Associates

The settlement illustrates that business associates, as well as
covered entities, can face serious consequences for perceived
violations of privacy laws. They should take all necessary steps to
ensure compliance with applicable HIPAA privacy and security
provisions. In light of the restrictive terms of this settlement,
business associates and covered entities should consider the following
recommendations:

Examine their HIPAA security to make certain that their safeguards are
adequate to prevent breaches of PHI and that their staff are
adequately trained
Review their privacy policies and ensure that they are complete,
organized, and consistent with HIPAA, HITECH, and any state laws to
which they are subject
Verify that their actual practices regarding HIPAA privacy and
security conform to the requirements of the written policies and
procedures, and properly document their compliance
Ensure that a business associate agreement has been executed before
any PHI is transferred to a business associate
Conclusion and Implications

Although Swanson's lawsuit is the first example of a state attorney
general using his or her new enforcement power against a business
associate, this case could be an indication of many such lawsuits to
come. The inclination of attorneys general in using this authority may
vary from state to state, but, certainly, some others are likely to
take similarly aggressive approaches to the enforcement of privacy and
consumer protection laws. Moreover, as this case demonstrates, a
privacy enforcement action may open the door to further allegations of
wrongdoing. Going forward, it is important for businesses subject to
these rules to take steps to protect against enforcement exposure and
help ensure compliance.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.