Skip to content Skip to navigation

Are State AGs Already Becoming More Aggressive on HIPAA?

February 6, 2012
| Reprints
Minnesota lawsuit may just be tip of the iceberg

For a March tech trend story on privacy trends, I asked several consultants to gaze into their crystal balls and project a few headlines in health data privacy for 2012. Chris Apgar, president of Apgar & Associates, said that he expects more lawsuits filed, both by state attorneys general and class action lawsuits against covered entities. Kate Borten of the Marblehead Group told me she thought we would see more breaches reported and more state attorneys general prosecute them.

It didn’t take long for their predictions to ring true. In January, Minnesota Attorney General Lori Swanson filed a lawsuit against consulting firm Accretive Health Inc., which last summer lost an unencrypted laptop that contained medical data on 23,500 Minnesotans.

Chicago-based Accretive, which is involved in the revenue cycle management and operations of both Fairview Health Services and North Memorial Health Care, engages in “data mining” and “consumer behavior modeling” on patients, according to the state’s complaint.

“Accretive is responsible for the management of: ‘risk scores’ for each patient, development of automated care plans for patients, case management, length of hospital stay management, and discharge planning, among other things. It also performs ‘analytics and reporting’ to track utilization by patient and physician, to determine profit and loss by patient, and to identify patients who are ‘outliers,’” the complaint continues.

The Minnesota suit generated a lively discussion on the All Things HITECH group on LinkedIn.

Shauna Van Dongen, associate privacy officer at Providence Health & Services in the Seattle area, pointed out the most interesting thing about this case: the suit is seeking more than damages for the PHI breach. It wants an order requiring Accretive to disclose to Minnesota patients the data that it has about them, where and how such data is stored, including but not limited to whether it has been sent overseas, and how such data is utilized.

“It seems to me that Ms. Swanson would like Accretive to provide patients with something akin to a Notice of Privacy Practices — though in more detail,” Van Dongen wrote. “If this complaint is successful, would such a disclosure requirement apply to all business associates doing business with Minnesota-based covered entities?”

This demonstrates the level of legal complexity involved. Several states have patient bills of rights, and others, such as Texas, have recently passed requirements that are more stringent than HIPAA. Hospitals need to pay attention to the actions of their business associates, and they must think about whether to disclose to patients the full extent of those associates’ access to patient data — before there is a breach.



Management is looking to HIPAA standards and compliance with them as satisfactory mitigation against breaches. Not to bash HIPAA, which is in-bound attack vector focused, but management can (and should) ramp up mitigation efforts to protect agains out bound attack vectors.

The risk is not someone getting on our networks (Inbound vector) the risk is someone getting information off our networks (Outbound vector), says Fred Cox, CISA, CISM of FDC Associates.

Does management or the CIO have 60% of the Informaiton Security budget spent on outbound vectors? - doubtful. Yet all profess they are taking a risk management approach, when they are not, .

Hiring a CISSP is not the way to go. Their skill set is infrastructure based and the issue is the risk management / awareness process.

I was employed for over 25 years at a local hospital and was in a management position. Accretive Health was hired to run the financial section of the hospital and collect on patient accounts. They are like a "cancer" that infiltrated the integrity of our great hospital. Within a couple of years they replaced wonderful employees with their own staff who were instructed and trained to operate by using numbers and the private information of our patients to collect money and appear to be "heros" to our administration. They did not consider the caring relationship we had spent many years building with our patients. They did not consider we work with sick and hurting human beings and they routinely disregarded patient dignity. They only operated like "vultures" and literally destroyed the fine reputation our hospital had worked hard to build. Many times I witnessed operations by Accretive Health that I suspected were ethically and legally wrong. I hope this lawsuit directs attention where it is needed and Accretive Health pays for their actions.

".....risk scores for patients........automated care plans for patients,....track utilization by patient, determine profit and loss by patient...identify patients who are "outliers".

Well, I am afraid to ask what is the definition of "outlier" as used in the above article. A am curious how much all the "analytics" adds to the cost of health care. A sure hope I never end up at that facility and what ever happened to just plain old doctoring?