While the Department of Health and Human Services (HHS) shows that business associate-related HIPAA breaches were responsible for 62 percent of the total number of patient records breached (as seen in this blog post), there has not been government legal action taken against business associates until recently.
Minnesota’s Attorney General is suing a business associate over an unencrypted data breach incident that occurred last year when a laptop containing 23,500 patient records was stolen from the business associate’s car. Accretive Health is a licensed debt collector that also provides a patient analysis service for hospitals.
Part of the reason why they were targeted may be linked to further complexity of the case – not only did Accretive Health suffer from a data breach, but the lawsuit claims they were also accessing and using patient data without the knowledge or consent of patients. One of their services provided the probability of a patient’s hospital admittance and their calculated potential financial worth to the patient’s healthcare provider, all based on perceived risk factors from their personal health information, according to the claim (PDF).
Another major HIPAA violation case involving a business associate was the Department of Defense’s military healthcare program, in which nearly the exact same incident occurred – a contractor employee left an unencrypted laptop in their car and it was stolen. About 4.9 million patients were affected. A lawsuit was filed by a few of the affected patients, and in the claim, they indicated the need for all contractor employees to be properly trained in how to handle personal health information (PHI).
Modifications to HIPAA Applicability
Are business associates lax on HIPAA compliance because the law has no teeth? That’ll change very soon – according to HealthCareInfoSecurity.com, March 2012 is the target date to release a final version of the HIPAA modifications and breach notification rule (also known as the Omnibus rule, meaning for all in Latin). And in the proposed version of HIPAA modifications, business associates will be required to comply with the HIPAA standards, as seen in the change to the §164.104 Applicability rule:
When a health care clearinghouse creates or receives protected health information as a business associate of another covered entity, or other than as a business associate of a covered entity, the clearinghouse must comply with §164.105 relating to organizational requirements for covered entities, including the designation of health care components of a covered entity.
Roadmap to Achieving Compliance
How can a business associate avoid a potential HIPAA violation, subsequent lawsuits and fines? Try the following:
Or are you a covered entity that needs assurance their business associates are handling PHI in a HIPAA compliant manner? Read our E-Tip on the top Five Questions to Ask Your HIPAA Hosting Provider.
March Target for HIPAA Modifications
State of Minnesota vs. Accretive Health, Inc. (PDF)
Minnesota Sues Consulting Firm Over Lost Health Data
Otava provides the secure, compliant hybrid cloud solutions demanded by service providers, channel partners and enterprise clients in compliance-sensitive industries. By actively aggregating best-of-breed cloud companies and investing in people, tools, and processes, Otava’s global footprint continues to expand. The company provides its customers in highly regulated disciplines with a clear path to transformation through its effective solutions and broad portfolio of hybrid cloud, data protection, disaster recovery, security and colocation services, all championed by an exceptional support team. Learn more at www.otava.com.