For a March tech trend story on privacy trends, I asked several consultants to gaze into their crystal balls and project a few headlines in health data privacy for 2012. Chris Apgar, president of Apgar & Associates, said that he expects more lawsuits filed, both by state attorneys general and class action lawsuits against covered entities. Kate Borten of the Marblehead Group told me she thought we would see more breaches reported and more state attorneys general prosecute them.
It didn’t take long for their predictions to ring true. In January, Minnesota Attorney General Lori Swanson filed a lawsuit against consulting firm Accretive Health Inc., which last summer lost an unencrypted laptop that contained medical data on 23,500 Minnesotans.
Chicago-based Accretive, which is involved in the revenue cycle management and operations of both Fairview Health Services and North Memorial Health Care, engages in “data mining” and “consumer behavior modeling” on patients, according to the state’s complaint.
“Accretive is responsible for the management of: ‘risk scores’ for each patient, development of automated care plans for patients, case management, length of hospital stay management, and discharge planning, among other things. It also performs ‘analytics and reporting’ to track utilization by patient and physician, to determine profit and loss by patient, and to identify patients who are ‘outliers,’” the complaint continues.
The Minnesota suit generated a lively discussion on the All Things HITECH group on LinkedIn.
Shauna Van Dongen, associate privacy officer at Providence Health & Services in the Seattle area, pointed out the most interesting thing about this case: the suit is seeking more than damages for the PHI breach. It wants an order requiring Accretive to disclose to Minnesota patients the data that it has about them, where and how such data is stored, including but not limited to whether it has been sent overseas, and how such data is utilized.
“It seems to me that Ms. Swanson would like Accretive to provide patients with something akin to a Notice of Privacy Practices — though in more detail,” Van Dongen wrote. “If this complaint is successful, would such a disclosure requirement apply to all business associates doing business with Minnesota-based covered entities?”
This demonstrates the level of legal complexity involved. Several states have patient bills of rights, and others, such as Texas, have recently passed requirements that are more stringent than HIPAA. Hospitals need to pay attention to the actions of their business associates, and they must think about whether to disclose to patients the full extent of those associates’ access to patient data — before there is a breach.