First Lawsuit Filed Against a Business Associate Under HIPAA / HITECH

4 Min Read

The first HIPAA enforcement action against a business associate has been filed by the Minnesota Attorney General’s office.

The first HIPAA enforcement action against a business associate has been filed by the Minnesota Attorney General’s office.

In part, it’s the same old sloppy story: unencrypted laptop loaded with PHI stolen out of a rental car … sheesh, when will they ever learn?  (See: Privacy and Security: Joke or No Joke?)  Cleaner policies and procedures, and internal enforcement, would have made this a non-event, not reportable, off the front pages, and out of court.  Instead, the buisiness associate and the covered entity have gotten plenty of negative publicity, which will include a trip to the Wall of Shame.  Perhaps the advent of the HIPAA audits by government contractor KPMG, together with unpredictable actions of state attorneys general will motivate business associates and covered entites to get with the program.

Here are the twists in this case:

1. The federales have said that they’re not going to go after business associates until they finally finalize their regs (they’ve missed the HIPAA / HITECH deadline), but State AGs have been given enforcement authority under HIPAA / HITECH, and they’ve jumped the gun.  (For more on state AG enforcement, see: HIPAA enforcement by state attorneys general: The shape of things to come.)

2. The Minnesota AG is also going after the business associate on the unfair and deceptive business practices front — for failing to disclose to patients the way in which they use their data (they make one set of disclosures to patients, another to Wall Street). See full complaint against Accretive Health (PDF).

As I’ve been saying for a while, we’re going to see more aggressive HIPAA enforcement from beyond the Beltway; this case is an exemplar of just one manifestation of the phenomenon.  Another is the growth of private lawsuits bootstrapped on violations of HIPAA or related state laws (this, despite HIPAA’s clear statement that it does not provide for third-party lawsuits).

In addition to the HIPAA issues, there’s the predictive modeling and consumer transparency side of the case: Accretive, a management consultant to a hospital system, was being paid based on a percentage of cost savings, and was using PHI in its predictive model of patient-specific health care costs.  The complaint alleges that this use was not made clear to the patients, though I don’t beleive the allegation was made that such use would be improper if appropriate disclosures were made.  

Should more explicit disclosures about the uses of health data be made even if not required by federal or state law?  I sometimes counsel clients to be more proactive than may be strictly necessary in this department, in order to be sensisitve to the “man on the street” perception of privacy rights — even in situations where the law does not require that certain data be handled as protected health information subject to HIPAA.  The benefit is broader than compliance and risk mitigation; it signals a sensitivity to a hot-button issue that may improve customer relations and improve risk management.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting
 
 

Share This Article
Follow:
DAVID HARLOW is Principal of The Harlow Group LLC, a health care law and consulting firm based in the Hub of the Universe, Boston, MA. His thirty years’ experience in the public and private sectors affords him a unique perspective on legal, policy and business issues facing the health care community. David is adept at assisting clients in developing new paradigms for their business organizations, relationships and processes so as to maximize the realization of organizational goals in a highly regulated environment, in realms ranging from health data privacy and security to digital health strategy to physician-hospital relationships to the avoidance of fraud and abuse. He's been called "an expert on HIPAA and other health-related law issues [who] knows more than virtually anyone on those topics.” (Forbes.com.) His award-winning blog, HealthBlawg, is highly regarded in both the legal and health policy blogging worlds. David is a charter member of the external Advisory Board of the Mayo Clinic Social Media Network and has served as the Public Policy Chair of the Society for Participatory Medicine, on the Health Law Section Council of the Massachusetts Bar Association and on the Advisory Board of FierceHealthIT. He speaks regularly before health care and legal industry groups on business, policy and legal matters. You should follow him on Twitter.
Exit mobile version