By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
Health Works CollectiveHealth Works CollectiveHealth Works Collective
  • Health
    • Mental Health
    Health
    Healthcare organizations are operating on slimmer profit margins than ever. One report in August showed that they are even lower than the beginning of the…
    Show More
    Top News
    improving patient experience
    6 Ways to Improve Patient Satisfaction Within Hospitals
    December 1, 2021
    degree for healthcare job
    What Are The Health Benefits Of Having A Degree?
    March 9, 2022
    custom software development is changing healthcare
    Digital Customer Journey Mapping and its Importance for Healthcare
    July 21, 2022
    Latest News
    Grounded Healing: A Natural Ally for Sustainable Healthcare Systems
    May 16, 2025
    Learn how to Renew your Medical Card in West Virginia
    May 16, 2025
    Choosing the Right Supplement Manufacturer for Your Brand
    May 1, 2025
    Engineering Temporary Hospitals for Extreme Weather
    April 24, 2025
  • Policy and Law
    • Global Healthcare
    • Medical Ethics
    Policy and Law
    Get the latest updates about Insurance policies and Laws in the Healthcare industry for different geographical locations.
    Show More
    Top News
    Can Thinking Younger Make You Live Longer?
    April 20, 2011
    Image
    Obesity’s Outlook Unchanged
    June 13, 2011
    When It’s An Emergency Elderly Not Treated As Well in Hospitals
    July 16, 2011
    Latest News
    Building Smarter Care Teams: Aligning Roles, Structure, and Clinical Expertise
    May 18, 2025
    The Critical Role of Healthcare in Personal Injury Recovery: A Comprehensive Guide for Victims
    May 14, 2025
    The Backbone of Successful Trials: Clinical Data Management
    April 28, 2025
    Advancing Your Healthcare Career through Education and Specialization
    April 16, 2025
  • Medical Innovations
  • News
  • Wellness
  • Tech
Search
© 2023 HealthWorks Collective. All Rights Reserved.
Reading: Accretive Health: No Liability
Share
Notification Show More
Font ResizerAa
Health Works CollectiveHealth Works Collective
Font ResizerAa
Search
Follow US
  • About
  • Contact
  • Privacy
© 2023 HealthWorks Collective. All Rights Reserved.
Health Works Collective > eHealth > Accretive Health: No Liability
eHealth

Accretive Health: No Liability

onlinetech
Last updated: August 1, 2012 8:09 am
onlinetech
Share
10 Min Read
AprilSage
SHARE

Oops, I made a mistake

The recent settlement between Accretive Health and the State of Minnesota is one more domino in the growing parade of breach casualties. What makes this case odd is the simultaneous insistence of no wrongdoing or liability, the resignation of their controller and the fact that ePHI (electronic protected health information) was left on a portable device in an employee’s car with no encryption.

No admission of liability

Oops, I made a mistake

More Read

BioPharma Beat: How Will Your Doctor Will See 1,000 Patients – A Day?
Video Calling Shrinks Distance, Time and Cost in Healthcare
Health-Focused Wearables: Can Innovators, Providers, and Insurers Work Together?
Unknown Canadian Patients Grab Top Prize Against Web Giants
HIMSS 12: Presenters Urge It’s Not About Technology, But Connecting People

The recent settlement between Accretive Health and the State of Minnesota is one more domino in the growing parade of breach casualties. What makes this case odd is the simultaneous insistence of no wrongdoing or liability, the resignation of their controller and the fact that ePHI (electronic protected health information) was left on a portable device in an employee’s car with no encryption.

No admission of liability

The phrase that keeps dancing through my mind is from the latest kids’ mobile app I made the mistake of downloading onto my phone. My daughter’s favorite snippet is a cheery little song that highlights “Oops, I made a mistake” roughly 50 times within a single 3 minute clip.

The Organizational Requirements of the HIPAA Security Rule defined in 164.504(e) requires contracts between Covered Entities (CEs) and Business Associates (BAs) to extend the chain-of-trust for the explicit purpose of protecting health information. So how can there be no liability if a laptop with unprotected ePHI was left in a vehicle and stolen? One or more of the following must have happened:

  • The BA did not have a policy or procedure in place that would have prevented unencrypted ePHI from being stored on a portable device.
  • The BA did not have policies or procedures to control the security of the portable device.
  • The employee did not follow the policies or procedures of the BA.
  • The CEs did not review the policies and procedures of the BA with regards to handling ePHI.
  • The BA did not audit its own policies or procedures, or invest in a third party, as part of a HIPAA risk assessment and management plan.
  • The CEs did not audit the BA’s policies or procedures to ensure they were protecting PHI appropriately.

In all of the cases above, there is liability on the part of the CE, the BA, and the patient. How can a major healthcare vendor state that it has no liability to protect PHI? Without accepting responsibility or owning liability, how do you improve protections? And who pays a $2.5 MILLION settlement for not doing anything wrong? It’s a terrible example for both CEs and BAs to set to allow this “no liability” myth to pervade the industry.

Maybe Spiderman said it best: “With great power comes great responsibility.”

Hey, if a comic book character can figure it out, I think we should be able to say “Oops, I made a mistake” and then entertain changing our perspective.

CEs, please do:

  • Ask for and read what a BA has done to assess and manage HIPAA compliance under the full HIPAA security rule – let’s hope this includes an independent audit, because, let’s face it, you can’t audit yourself legitimately.
  • Spend the money to go visit BA facilities – if you think you don’t have the time and money to do that, just think about the cost of a breach.
  • Have a proactive and ongoing dialog with BAs about HIPAA compliance and your expectations for handling PHI.

BAs, please do:

  • Accept and embrace full responsibility to protect PHI.
  • Invest in annual, independent third party audits by a respected HIPAA security authority.
  • Embrace and address any areas that would improve the confidentiality, privacy, and availability of PHI.

If you have any questions about your responsibilities under the HIPAA Security Rule, please contact a qualified HIPAA legal counsel or a HIPAA security specialist.

References from the HIPAA security rule:

The Privacy Rule allows covered providers and health plans to disclose protected health information to these “business associates” if the providers or plans obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule.

General Provision. The Privacy Rule requires that a covered entity obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity. The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate.

(e)(1) Standard: Business associate contracts.  (i) The contract or other arrangement between the covered entity and the business associate required by §164.502(e)(2) must meet the requirements of paragraph (e)(2) or (e)(3) of this section, as applicable.
(ii) A covered entity is not in compliance with the standards in §164.502(e) and paragraph (e) o this section, if the covered entity knew of a pattern of activity or practice of the business associate that constituted a material breach or violation of the business associate’s obligation under the contract or other arrangement, unless the covered entity took reasonable steps to
cure the breach or end the violation, as applicable, and, if such steps were unsuccessful:
(A) Terminated the contract or arrangement, if feasible; or
(B) If termination is not feasible, reported the problem to the Secretary.
(2)  Implementation specifications: Business associate contracts.  A contract between the covered entity and a business associate must:
(i) Establish the permitted and required uses and disclosures of such information by the business associate.
The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity,
except that:
(A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and
(B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity.
(ii) Provide that the business associate will:
(A) Not use or further disclose the information other than as permitted or required by the contract or as required by law;
(B) Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by its contract;
(C) Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware;
(D) Ensure that any agents, including a subcontractor, to whom it provides protected health information received from, or created or received by the business associate on behalf of, the
covered entity agrees to the same restrictions and conditions that apply to the business associate with respect to such information.


AprilSage

April Sage, CPHIMS, Director Healthcare Vertical, Online Tech
April Sage has been involved in the IT industry for over two decades, initially founding a technology vocational program. In 2000, April founded a bioinformatics company that supported biotech, pharma, and bioinformatic companies in the development of research portals, drug discovery search engines, and other software systems.

Since then, April has been involved in the development and implementation of online business plans and integrated marketing strategies across insurance, legal, entertainment, and retail industries until her current position as Director Healthcare Vertical of Online Tech.

Contact:  asage@onlinetech.com


Recommended Reading:
Five Questions to Ask Your HIPAA Hosting Provider
Online Tech’s BAA Breach Notification Clause
In the Wake of a Healthcare Data Breach
Healthcare Organizations: Seeking a Cloud Provider? BAAs Required

References:
Business Associates from HHS.gov
Uses and Disclosures: Organizational Requirements from HHS.gov (PDF)

TAGGED:security breach
Share This Article
Facebook Copy Link Print
Share

Stay Connected

1.5kFollowersLike
4.5kFollowersFollow
2.8kFollowersPin
136kSubscribersSubscribe

Latest News

Clinical Expertise
Building Smarter Care Teams: Aligning Roles, Structure, and Clinical Expertise
Health care
May 18, 2025
Grounded Healing: A Natural Ally for Sustainable Healthcare Systems
Grounded Healing: A Natural Ally for Sustainable Healthcare Systems
Health
May 15, 2025
Learn how to Renew your Medical Card in West Virginia
Learn how to Renew your Medical Card in West Virginia
Health
May 15, 2025
Dr. Klaus Rentrop Shares Acute Myocardial Infarction heart treatment
Dr. Klaus Rentrop Shares Acute Myocardial Infarction
Cardiology
May 13, 2025

You Might also Like

Image
eHealth

High Quality, Low Cost HealthCare Video Interview Series: e-Patient Dave deBronkart

December 18, 2012

The Importance of the Cloud and Data Security in Healthcare

November 25, 2014

Meaningful Use and Mobile Apps

April 20, 2012

Making Health Addictive: Use the Sentinel Effect [VIDEO]

June 4, 2014
Subscribe
Subscribe to our newsletter to get our newest articles instantly!
Follow US
© 2008-2025 HealthWorks Collective. All Rights Reserved.
  • About
  • Contact
  • Privacy
Welcome Back!

Sign in to your account

Username or Email Address
Password

Lost your password?