On January 19, the Minnesota Attorney General (the AG) filed a lawsuit accusing Accretive Health of various violations of HIPAA and Minnesota state law. Thought to be the first HIPAA enforcement action against a business associate, the complaint includes a substantial number of alleged violations of specific Security Rule provisions. Notably, these allegations are pursued by the AG even though the U.S. Department of Health and Human Services (HHS) has not yet published its final rules requiring business associates to comply with the Security Rule, and despite the fact that Accretive’s customers apparently did not require it to be fully compliant with the Security Rule by contract.
How is that possible? The Health Information Technology for Economic and Clinical Health (HITECH) Act directs HHS to issue final rules implementing its requirements, including rules that would fully apply the Security Rule to business associates. Nevertheless, the HITECH Act also states on its face that the provisions of the Security Rule shall apply directly to business associates (see 42 U.S.C. § 17931). That statute is effective now. The AG has determined, as evidenced by its complaint, that it need not wait for HHS’s final HITECH rules prior to directly enforcing the terms of the statute.
The AG’s claims follow the theft of an unencrypted laptop from the rental car of an Accretive employee. The laptop is thought to have contained information about approximately 24,000 Minnesota residents who were patients of two hospitals that contracted with Accretive for services that appear to have included both debt collection and treatment coordination. Unfortunately, the information was fairly extensive, including Social Security numbers and a variety of health information such as HIV status.
The AG’s complaint alleges at least nine violations of the Security Rule, including failure to maintain policies to prevent or correct violations, failure to implement policies to ensure only authorized access to information, failure to effectively train employees, failure to appropriately respond to security incidents, failure to limit physical access to information systems, failure to implement policies governing movement of portable devices, failure to implement technical controls that permit only authorized access, and general failure to document all implementing polices as required by the rule. Presumably, if the case culminates in a penalty award for the AG, some of the violations alleged will be multiplied by the number of records affected when arriving at a final penalty. (Interestingly, the AG also seeks various equitable remedies including an order compelling Accretive to disclose to Minnesota residents “the data that it has about them, where and how such data is stored, including but not limited to whether it has been sent overseas, and how such data is utilized.”)
So what’s the lesson here? Many business associates have assumed they can delay Security Rule compliance because HHS has not issued final rules and because their covered entity clients have not yet updated their business associate agreements to require full Security Rule compliance. This action by the Minnesota AG signals that assumption is both faulty and dangerous, particularly in light of the high monetary penalties state AGs can pursue regarding HIPAA violations. Business associates should begin in earnest their efforts to comply with the Security Rule, and other newly-applicable HIPAA requirements, both to avoid similar actions by state AGs and to position themselves to more readily implement HHS’s final HITECH rules, which are expected imminently.