The first HIPAA enforcement action against a business associate has been filed by the Minnesota Attorney General's office.
In part, it's the same old sloppy story: unencrypted laptop loaded with PHI stolen out of a rental car … sheesh, when will they ever learn? (See: Privacy and Security: Joke or No Joke?) Cleaner policies and procedures, and internal enforcement, would have made this a non-event, not reportable, off the front pages, and out of court. Instead, the buisiness associate and the covered entity have gotten plenty of negative publicity, which will include a trip to the Wall of Shame. Perhaps the advent of the HIPAA audits by government contractor KPMG, together with unpredictable actions of state attorneys general will motivate business associates and covered entites to get with the program.
Here are the twists in this case:
1. The federales have said that they're not going to go after business associates until they finally finalize their regs (they've missed the HIPAA / HITECH deadline), but State AGs have been given enforcement authority under HIPAA / HITECH, and they've jumped the gun. (For more on state AG enforcement, see: HIPAA enforcement by state attorneys general: The shape of things to come.)
2. The Minnesota AG is also going after the business associate on the unfair and deceptive business practices front — for failing to disclose to patients the way in which they use their data (they make one set of disclosures to patients, another to Wall Street). See full complaint against Accretive Health (PDF).
As I've been saying for a while, we're going to see more aggressive HIPAA enforcement from beyond the Beltway; this case is an exemplar of just one manifestation of the phenomenon. Another is the growth of private lawsuits bootstrapped on violations of HIPAA or related state laws (this, despite HIPAA's clear statement that it does not provide for third-party lawsuits).
In addition to the HIPAA issues, there's the predictive modeling and consumer transparency side of the case: Accretive, a management consultant to a hospital system, was being paid based on a percentage of cost savings, and was using PHI in its predictive model of patient-specific health care costs. The complaint alleges that this use was not made clear to the patients, though I don't beleive the allegation was made that such use would be improper if appropriate disclosures were made.
Should more explicit disclosures about the uses of health data be made even if not required by federal or state law? I sometimes counsel clients to be more proactive than may be strictly necessary in this department, in order to be sensisitve to the "man on the street" perception of privacy rights — even in situations where the law does not require that certain data be handled as protected health information subject to HIPAA. The benefit is broader than compliance and risk mitigation; it signals a sensitivity to a hot-button issue that may improve customer relations and improve risk management.