Michael Kline and Elizabeth Litten recently commented on the HIPAA violations debt-collection company Accretive Health of Minnesota obtained while working with Fairview Health Services and North Memorial Hospital. After an employee's laptop was stolen, further investigation into the company was prompted and led to even more violations.
Litten said the company used aggressive collection tactics and misled patients into believing they were facility staff, blurring the line between covered entity and business associate.
Fairview Health Services has cooperated and is solving its problems internally. North Memorial did not have a signed business associate agreement and is currently being investigated for creating and backdating one in attempts to avoid legal trouble.
Kline said the "attorney general is almost committed to some sanction against the hospital. A bad business associate agreement is better than none at all."
Kline said business associates like Accretive are often less aware of HIPAA violations, pointing out that many of the security breaches have been caused by associates and not covered entities.
This should be a reminder to covered entity’s that it is their responsibility to report HIPAA breaches, though it can work with the business associate to mitigate losses.