[ Friday, January 20, 2012 ]
Accretive Health (Minnesota) Data Breach: The
Minnesota AG has sued a healthcare service group for Fairview Health and North Memorial in Minnesota hired Accretive as their debt collection company, and Accretive lost a laptop with unencrypted patient data. The data included stuff you'd expect a debt collector to need (names, SSNs, amounts owed, even procedures performed), but the data also included information on chronic conditions and how the patient is responding to treatment. The AG believes that the medical information should not have been shared with Accretive.
This makes for an interesting case, because it has 2 distinct components. To the extent Accretive should have encrypted or otherwise protected the data, it's probably a HIPAA violation by them for failure to implement reasonable physical and technical security safeguards; but that's a question of fact, since encryption is not a required element. Accretive is also directly liable under HITECH, although under the original HIPAA rules, it would have only been Fairview and North Memorial that would have been impacted.
The second element is the question of whether Fairview and North Memorial violated the "minimum necessary" rule by giving Accretive the medical condition and progress information. One could argue (I probably would if I were them) that the information is relevant to debt collection -- to make a claim you might need to say what the debt was for, and to argue the value of the services, it might be necessary to know how the patient fared with the treatment.
It will be an interesting case. The AG has gone after the "villain" debt collector, and so far left the hospital entities alone. Let's see if she keeps that strategy. She is obviously grandstanding, pitting "Wall Street investors" against poor, suffering patients. This is
exactly the sort of thing I have been warning about in connection with the HITECH changes that give enforcement power to state attorneys general.
Jeff [9:15 AM]
http://www.blogger.com/template-edit.g?blogID=3380636
Blogger: HIPAA Blog - Edit your Template