[ Thursday, March 17, 2016 ]
Accretive Follow-Up: North Memorial Fined $1,550,000.
Jeff [2:57 PM]
What happens when your business associate has a bad HIPAA boo-boo? If you've done what you should have done, then usually you'll be fine, but if you haven't, you can get fined, and big.
North Memorial Health Care paid Accretive to assist it with its revenue cycle management. Mainly, Accretive was known as being pretty aggressive in working very closely with hospital clients to get payments, mainly focusing on the patients' responsibility rather than the insurer, to the point of trying to work out payment plans while the patients were still in the hospital or ER. While there really should be no problem with a provider of healthcare services, or any other services for that matter (surely hospitals and doctors don't have to work for free, do they?), trying aggressively to get those payments can look bad, and that put Accretive, and some of their clients, into the crosshairs of some state attorneys general.
Matters were made geometrically worse when an Accretive staffer had an unencrypted laptop stolen.
North Memorial was an Accretive client. Normally, North Memorial would not necessarily be fined for its business associate's bad behavior, but the problem here is that Accretive's breach caused North Memorial to come under OCR scrutiny, and unrelated issues (well, unrelated to the actual breach incident/stolen laptop) came to light. Specifically, North Memorial didn't have a BAA with Accretive, which is a pretty obvious HIPAA failure. But worse, North Memorial did not have a risk assessment. That is a catastrophic HIPAA failure.
Net Result: $1,550,000 fine. That's serious money, folks.
Blogger: HIPAA Blog - Edit your Template