In what appears to be the first enforcement action under the Health Insurance Portability and Accountability Act (“HIPAA”) against a business associate, the Minnesota Attorney General has filed a lawsuit against Accretive Health alleging a substantial number of Security Rule and other violations. The Attorney General is pursuing this action despite the fact that the U.S. Department of Health and Human Services (“HHS”) has not yet published final rules clarifying the privacy and security obligations of business associates under HIPAA and its sister law, the HITECH Act.
Accretive Health had been hired by two hospitals to perform revenue cycle management services including scheduling, registration, admissions, billing, collection, and payment functions. The lawsuit followed the theft of an unencrypted, password-protected laptop containing protected health information (“PHI”) for approximately 17,000-23,000 patients from an Accretive Health employee’s car. The PHI impacted by this theft included patient names, social security numbers, and clinical information.
The complaint alleges that Accretive Health failed to initially identify and disclose the names of all patients whose protected PHI was contained on the laptop, as approximately 6,000 additional individuals were notified of the breach only after one of the hospitals retained an independent forensic investigator.
The complaint further alleges multiple violations of HIPAA, HITECH, and various Minnesota state consumer protection laws by Accretive Health. The alleged security violations include:
Failure to implement policies and procedures to detect, contain, and correct security violations;
- Failure to implement policies and procedures that address workforce member access to PHI;
- Failure to effectively train employees;
- Failure to implement technical controls that permit only authorized access to PHI;
- Failure to identify, respond to, and mitigate the harmful effects of a security incident; and
- Failure to implement policies and procedures related to portable devices.
While the remedies available to the Minnesota Attorney General are limited to only $25,000 per year (compared to the $1.5 million available to the federal government), this lawsuit sends a stern warning to business associates everywhere. Despite the lack of regulatory guidance from HHS, HITECH’s extension of HIPAA privacy and security obligations to business associates under Section 13401 is already in effect. Accordingly, business associates should not hesitate to implement compliance measures pending release of the final HITECH rules. Rather, they should consider immediate implementation of compliance measures designed to minimize current exposure in the event of an incident, and to facilitate rapid implementation of the final rules upon issuance.