Data Breach, HIPAA / HITECH Enforcement, News Events, Tip of the Week

State of Minnesota, by its Attorney General Lori Swanson, Plaintiff, v. Accretive Health, Inc., Defendant

A common Business Associate (BA) of many, if not almost all, Covered Entities (CEs) is a debt collection agency that revenue cycle often uses to sell bad debt or collection-worthy accounts to. A significant amount of ePHI is usually transmitted along with the account information to these organizations. Debt collection companies utilize ePHI to establish a record of delivery of healthcare services to an individual, thus validating the debt.

These BA must be careful with ePHI and must adhere to the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. Just like CEs and other BAs collection agencies need to perform a Risk Analysis to determine if HIPAA and HITECH controls are in place and effective.

Here is one example of a collection agency that had confidential personal, medical and financial records of tens of thousands of Minnesota patients on unencrypted laptop computer. The employee left the laptop inside a parked rental car. The laptop was stolen on July 25, 2011, along with about 23,531 Fairview and North Memorial patients. “Accretive violated privacy laws by failing to keep private patient data secure” according to the United States District Court District of Minnesota.

For assistance with your HIPAA, HITECH, or State level privacy and security program, or for audit or breach help, please visit www.RISCsecurity.com or 630.270.9336.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s