Last month Minnesota Attorney General Lori Swanson filed suit against Accretive Health, Inc., a company which provides revenue cycle management services for two Minnesota Health Systems – Fairview Health Services and North Memorial Health Care. According to t
he complaint, a computer laptop with sensitive information on 23,500 patients was stolen from a rental car. Eight violations of the HIPAA Security Rule are alleged. The state seeks statutory damages and payment of its legal costs.
HIPAA Business Associates and advisors alike have noted that the Federal Department of HHS has not yet finalized the HIPAA changes enacted in the HITECH act, signed on February 17, 2009. However, the HITECH statute is clear that Business Associates would be regulated by HIPAA one year later, on February 17, 2010. Further, HITECH empowered state Attorney Generals to enforce HIPAA.
While the federal government has announced that they will not enforce these regulation changes until 6 months after they publish the final regulations – state AG’s made no such promise of such a grace period. While this is the first action against a business associate, AGs in Vermont and Connecticut have filed HIPAA cases. The lesson is that business associates – billing companies, technology companies, and collection agencies to name a few – should comply with the HIPAA Security Rule now.
For more information, see the Minnesota AG’s press release and the complaint.
Editor’s Update: On July 12, 2012, Attorney General Lori Swanson announced a $2.5 million settlement with Accretive Health, Inc. Ultimately, North Memorial Health Care of Minnesota agreed to a $1.55 million settlement with the Office of Civil Rights for its role in the incident.
