Data Breach, HIPAA / HITECH Enforcement, News Events, Tip of the Week

State of Minnesota, by its Attorney General Lori Swanson, Plaintiff, v. Accretive Health, Inc., Defendant

A common Business Associate (BA) of many, if not almost all, Covered Entities (CEs) is a debt collection agency that revenue cycle often uses to sell bad debt or collection-worthy accounts to. A significant amount of ePHI is usually transmitted along with the account information to these organizations. Debt collection companies utilize ePHI to establish a record of delivery of healthcare services to an individual, thus validating the debt.

These BA must be careful with ePHI and must adhere to the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. Just like CEs and other BAs collection agencies need to perform a Risk Analysis to determine if HIPAA and HITECH controls are in place and effective.

Here is one example of a collection agency that had confidential personal, medical and financial records of tens of thousands of Minnesota patients on unencrypted laptop computer. The employee left the laptop inside a parked rental car. The laptop was stolen on July 25, 2011, along with about 23,531 Fairview and North Memorial patients. “Accretive violated privacy laws by failing to keep private patient data secure” according to the United States District Court District of Minnesota.

For assistance with your HIPAA, HITECH, or State level privacy and security program, or for audit or breach help, please visit or 630.270.9336.