Expert Weighs In On AG’s Lawsuit
PRIVACY LAW—U.S.February 7, 2012
A healthcare privacy expert provides analysis on the recent lawsuit filed by Minnesota Attorney General Lori Swanson against debt collector Accretive Health for violating state and federal health privacy laws, state debt collection laws and consumer protection laws. The suit involves a relatively common situation--a lost laptop containing 23,500 patients' personal information--says Wiley Rein's Kirk Nahra, CIPP/US. But it's important in two significant and different ways, he says. "First, this case reflects a HIPAA enforcement action brought by a state attorney general (AG) based largely on political concerns rather than true compliance issues. The company was engaged in debt collection efforts but also had created various financial profiles about the patients as part of these efforts," he says. "There is nothing on the face of these facts that reflects a violation of HIPAA in the activities engaged in by this company, and the Minnesota Attorney General appears to be using the security breach as an opportunity/excuse to pursue enforcement actions--under HIPAA and other laws--against practices that it simply does not like." Second, says Nahra, this case is the first to be brought against a business associate under HIPAA, though AGs have typically indicated they feel the final rules are necessary before enforcement actions can begin. This case indicates that "business associates should be prepared to face HIPAA enforcement challenges now...even before the final rules are issued," Nahra notes.