This year marks the first formal HIPAA enforcement action against a business associate. We've been talking about the increase in Health Insurance Portability and Accountability Act (HIPAA) enforcements and planned audits for 2012, and it seems that enforcement is now extending to business associates.
Minnesota Attorney General Lori Swanson has filed a lawsuit against Accretive Health, a debt collection agency, for "failing to protect the confidentiality of patient health care records and not disclosing to patients its extensive involvement in their health care through its role in managing the revenue and health care delivery systems at two Minnesota hospital systems."
The lawsuit follows the theft of an unencrypted laptop computer containing approximately 23,500 patient records.
As discussed by Davis Wright Tremaine, state attorney generals are not bound by the US Department of Health and Human Services (HHS) decision to not enforce HITECH (and HIPAA) violations against business associates. Given this new lawsuit, businesses should review whether they are complying with current requirements of the HITECH Act and HIPAA.
Absolute Software has been providing healthcare organizations with solutions for HIPAA compliance for many years – learn more here.