Debt Collector Lost Laptop Containing Sensitive Data
You might take a lot of pride and caution in following laws such as those of HIPAA. But did you know that you could be fined based on the practices of your business associates? Any business associate who receives your patient’s Protected Health Information (PHI) is subject to all Health Insurance Portability and Accountability Act (HIPAA) regulations. This could be anyone from your telephone answering service to your accounting firm and collection agent.
A recent example of this accountability is a lawsuit filled by the Minnesota Attorney General against Accretive Health, Inc., a debt collection agency that is part of a New York private equity fund conglomerate. The agency has a role in managing the revenue and health care delivery systems at two Minnesota hospital systems. In 2011, an Accretive employee lost a laptop computer containing unencrypted health data about patients. The lawsuit alleges that Accretive violated several state and federal laws for failing to protect the confidentiality of patient health care records and not disclosing to patients its involvement in their health care.
To avoid lawsuits such as this one, your office should be aware of current laws regulating your practice and industry. The HITECH Act Security Rule requires reasonable assurance of the confidentiality, integrity and availability of Electronic Protected Health Information (EPHI) in three key elements:
Security management process, security personnel, information access management, workforce training and management and evaluation.
Facility access and control, workstation and device security.
Access control, audit controls, integrity control and transmission security.
Failure to comply with the HITECH and HIPAA regulations can cause severe financial penalties reaching up to $1.5 million for you and your practice.
If your office becomes aware of a HIPAA breach made by your business associate, you are required to take reasonable steps in correcting the violation. In the event that such steps are unsuccessful, then you must terminate your business associate agreement.
To avoid terminating contracts or securing other business associates, we highly recommend surveying your business associates’ HIPAA compliance processes. Ask yourself these questions:
- What are your policies and procedures protecting against the use or disclosure of PHI?
- Has your staff received training from a HIPAA professional?
- Are all vendors associated with your business associates HIPAA compliant?
- Do you have all of the necessary resources to remain HIPAA compliant?
The medical profession is constantly undergoing change, and therefore so are the laws and policies governing it. You work hard to adhere to them and provide the best service possible. So don’t let your reputation be tarnished by one of your business associates. Survey your work relationships’ HIPAA compliance processes to protect your patients and yourself.
To read more about HIPAA and business associates, click here.