Case Filed by Minnesota Raises Significant HIPAA Enforcement Issues
A recent lawsuit brought by the Attorney General (AG) of Minnesota raises significant enforcement issues related to the Health Insurance Portability and Accountability Act (HIPAA). This development is important to both HIPAA-covered entities and, even more significantly, to business associates under the HIPAA rules.
The case-brought against a company called Accretive Health-involves a relatively common situation, a stolen laptop containing patient information. Accretive Health is a debt-collection and cost-of-care management business, engaged as a HIPAA business associate by various hospitals and others.
This case, which is still in its pleading phase, is important in two significant, yet different, ways.
First, this case reflects a HIPAA enforcement action brought by a state AG based largely on political concerns rather than true compliance issues. AG suits have been relatively uncommon, even though the Attorneys General clearly have HIPAA enforcement authority. This case is important because it reflects the more "political" concerns about enforcement from Attorneys General. It is clear that the Minnesota AG did not like what the company was doing under its contracts with hospitals. The company was engaged in debt-collection efforts, but also had created various financial profiles about the patients as part of these efforts. The Minnesota AG did not like these activities and was critical of the company for not informing Minnesota patients about its activities (even though there was no HIPAA obligation to do so). There is nothing on the face of these facts that reflects a violation of HIPAA in the activities engaged in by this company, and the Minnesota AG appears to be using the security breach as an opportunity/excuse to pursue enforcement actions (under HIPAA and other laws) against practices that she simply does not like. The first paragraph of the amended complaint even references the company's "controversial history in Minnesota." So, this case is of significant concern to covered entities and business associates because it seems driven by politics rather than HIPAA.
Second, this case is the first to be brought against a business associate under HIPAA. The HHS Office of Civil Rights -- the primary enforcement agency for HIPAA -- has made clear that it does not believe it can engage in enforcement activities involving business associates until final rules are issued and the compliance period has run. This case indicates that at least one state Attorney General does not believe that final rules are necessary before she can engage in enforcement activity involving business associates. Therefore, this case is an indication that business associates should be prepared to face HIPAA enforcement challenges now -- particularly related to security practices where the substance of the applicable requirements is not in question -- even before the final rules are issued.