The Minnesota Attorney General Lori Swanson has sued a debt collection company in federal court for HIPAA violations involving an employee’s laptop stolen in Minneapolis. The defendant, Accretive Health, Inc., is a business associate for Fairview Health and North Memorial Hospital in Minnesota.
Accretive’s stolen laptop contained unencrypted patient data for 23,500 patients, including names, birth dates, SSNs, amounts owed, procedures performed, chronic conditions, and how the patient responded to treatment. The attorney general’s suit is based on the theory that the hospital should not have shared the medical information with Accretive as being a violation of the minimum necessary rule. In other words, why was all the clinical data necessary for debt collection?
At issue is whether Accretive should have encrypted or otherwise protected the data on the laptop because encryption remains an “addressable” security measure specification that needs to be implemented only when doing so is reasonable and appropriate. Of course, with the need to report unsecured—that is, unencrypted—data and with the much heavier penalties under the HITECH Act, encryption will be reasonable and appropriate almost all the time when the data could result in identity theft or other serious harm.
For background information and more details, especially for those of you interested in equity funds, see the Minnesota Public Radio news article and the press release on the official website of the Minnesota Attorney General.