By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
Health Works CollectiveHealth Works CollectiveHealth Works Collective
  • Health
    • Mental Health
    Health
    Healthcare organizations are operating on slimmer profit margins than ever. One report in August showed that they are even lower than the beginning of the…
    Show More
    Top News
    How Not to Become a Victim of Medical Scams
    How Not to Become a Victim of Medical Scams
    December 22, 2021
    11 Ways You Can Care for Your Elder Family Members Health
    11 Ways You Can Care for Your Elder Family Members Health
    April 6, 2022
    How Can Brain Injury Lead To Dangerous Long-Term Effects?
    How Can Brain Injury Lead To Dangerous Long-Term Effects?
    August 30, 2022
    Latest News
    7 Most Common Healthcare Accreditation Programs: Which Should You Use?
    August 20, 2025
    Hospital Pest Control and the Fight Against Superbugs
    August 20, 2025
    Hygiene Beyond The Clinic: Attention To Overlooked Non-Clinical Spaces
    August 13, 2025
    5 Steps to a Promising Career as a Healthcare Administrator
    August 3, 2025
  • Policy and Law
    • Global Healthcare
    • Medical Ethics
    Policy and Law
    Get the latest updates about Insurance policies and Laws in the Healthcare industry for different geographical locations.
    Show More
    Top News
    health suppliments
    Experience Life in a Better Way by Experimenting with Supplements!
    November 15, 2022
    Are There Differences in Medicare Spending Across States?
    September 9, 2017
    Obama: Ryan’s Ideas Are Too Radical Unless They’re Also My Ideas
    April 21, 2011
    Latest News
    How Social Security Disability Shapes Access to Care and Everyday Health
    August 22, 2025
    How a DUI Lawyer Can Help When Your Future Health Feels Uncertain
    August 22, 2025
    How One Fall Can Lead to a Long Road of Medical Complications
    August 22, 2025
    How IT and Marketing Teams Can Collaborate to Protect Patient Trust
    July 17, 2025
  • Medical Innovations
  • News
  • Wellness
  • Tech
Search
© 2023 HealthWorks Collective. All Rights Reserved.
Reading: Accretive Health: No Liability
Share
Notification Show More
Font ResizerAa
Health Works CollectiveHealth Works Collective
Font ResizerAa
Search
Follow US
  • About
  • Contact
  • Privacy
© 2023 HealthWorks Collective. All Rights Reserved.
Health Works Collective > eHealth > Accretive Health: No Liability
eHealth

Accretive Health: No Liability

onlinetech
onlinetech
Share
10 Min Read
AprilSage
SHARE

Oops, I made a mistake

The recent settlement between Accretive Health and the State of Minnesota is one more domino in the growing parade of breach casualties. What makes this case odd is the simultaneous insistence of no wrongdoing or liability, the resignation of their controller and the fact that ePHI (electronic protected health information) was left on a portable device in an employee’s car with no encryption.

No admission of liability

Oops, I made a mistake

More Read

Image
Small Practice Medical Website Mistakes and How to Avoid Them
Accuracy of Meaningful Use Reporting
Rewards Help Majority of Consumers Overcome Health Data Concerns
Pharma Companies Closing Down Facebook Sites
See the Future of Telehealth Through the Eyes of Teleradiology

The recent settlement between Accretive Health and the State of Minnesota is one more domino in the growing parade of breach casualties. What makes this case odd is the simultaneous insistence of no wrongdoing or liability, the resignation of their controller and the fact that ePHI (electronic protected health information) was left on a portable device in an employee’s car with no encryption.

No admission of liability

The phrase that keeps dancing through my mind is from the latest kids’ mobile app I made the mistake of downloading onto my phone. My daughter’s favorite snippet is a cheery little song that highlights “Oops, I made a mistake” roughly 50 times within a single 3 minute clip.

The Organizational Requirements of the HIPAA Security Rule defined in 164.504(e) requires contracts between Covered Entities (CEs) and Business Associates (BAs) to extend the chain-of-trust for the explicit purpose of protecting health information. So how can there be no liability if a laptop with unprotected ePHI was left in a vehicle and stolen? One or more of the following must have happened:

  • The BA did not have a policy or procedure in place that would have prevented unencrypted ePHI from being stored on a portable device.
  • The BA did not have policies or procedures to control the security of the portable device.
  • The employee did not follow the policies or procedures of the BA.
  • The CEs did not review the policies and procedures of the BA with regards to handling ePHI.
  • The BA did not audit its own policies or procedures, or invest in a third party, as part of a HIPAA risk assessment and management plan.
  • The CEs did not audit the BA’s policies or procedures to ensure they were protecting PHI appropriately.

In all of the cases above, there is liability on the part of the CE, the BA, and the patient. How can a major healthcare vendor state that it has no liability to protect PHI? Without accepting responsibility or owning liability, how do you improve protections? And who pays a $2.5 MILLION settlement for not doing anything wrong? It’s a terrible example for both CEs and BAs to set to allow this “no liability” myth to pervade the industry.

Maybe Spiderman said it best: “With great power comes great responsibility.”

Hey, if a comic book character can figure it out, I think we should be able to say “Oops, I made a mistake” and then entertain changing our perspective.

CEs, please do:

  • Ask for and read what a BA has done to assess and manage HIPAA compliance under the full HIPAA security rule – let’s hope this includes an independent audit, because, let’s face it, you can’t audit yourself legitimately.
  • Spend the money to go visit BA facilities – if you think you don’t have the time and money to do that, just think about the cost of a breach.
  • Have a proactive and ongoing dialog with BAs about HIPAA compliance and your expectations for handling PHI.

BAs, please do:

  • Accept and embrace full responsibility to protect PHI.
  • Invest in annual, independent third party audits by a respected HIPAA security authority.
  • Embrace and address any areas that would improve the confidentiality, privacy, and availability of PHI.

If you have any questions about your responsibilities under the HIPAA Security Rule, please contact a qualified HIPAA legal counsel or a HIPAA security specialist.

References from the HIPAA security rule:

The Privacy Rule allows covered providers and health plans to disclose protected health information to these “business associates” if the providers or plans obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule.

General Provision. The Privacy Rule requires that a covered entity obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity. The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate.

(e)(1) Standard: Business associate contracts.  (i) The contract or other arrangement between the covered entity and the business associate required by §164.502(e)(2) must meet the requirements of paragraph (e)(2) or (e)(3) of this section, as applicable.
(ii) A covered entity is not in compliance with the standards in §164.502(e) and paragraph (e) o this section, if the covered entity knew of a pattern of activity or practice of the business associate that constituted a material breach or violation of the business associate’s obligation under the contract or other arrangement, unless the covered entity took reasonable steps to
cure the breach or end the violation, as applicable, and, if such steps were unsuccessful:
(A) Terminated the contract or arrangement, if feasible; or
(B) If termination is not feasible, reported the problem to the Secretary.
(2)  Implementation specifications: Business associate contracts.  A contract between the covered entity and a business associate must:
(i) Establish the permitted and required uses and disclosures of such information by the business associate.
The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity,
except that:
(A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and
(B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity.
(ii) Provide that the business associate will:
(A) Not use or further disclose the information other than as permitted or required by the contract or as required by law;
(B) Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by its contract;
(C) Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware;
(D) Ensure that any agents, including a subcontractor, to whom it provides protected health information received from, or created or received by the business associate on behalf of, the
covered entity agrees to the same restrictions and conditions that apply to the business associate with respect to such information.


AprilSage

April Sage, CPHIMS, Director Healthcare Vertical, Online Tech
April Sage has been involved in the IT industry for over two decades, initially founding a technology vocational program. In 2000, April founded a bioinformatics company that supported biotech, pharma, and bioinformatic companies in the development of research portals, drug discovery search engines, and other software systems.

Since then, April has been involved in the development and implementation of online business plans and integrated marketing strategies across insurance, legal, entertainment, and retail industries until her current position as Director Healthcare Vertical of Online Tech.

Contact:  asage@onlinetech.com


Recommended Reading:
Five Questions to Ask Your HIPAA Hosting Provider
Online Tech’s BAA Breach Notification Clause
In the Wake of a Healthcare Data Breach
Healthcare Organizations: Seeking a Cloud Provider? BAAs Required

References:
Business Associates from HHS.gov
Uses and Disclosures: Organizational Requirements from HHS.gov (PDF)

TAGGED:security breach
Share This Article
Facebook Copy Link Print
Share

Stay Connected

1.5kFollowersLike
4.5kFollowersFollow
2.8kFollowersPin
136kSubscribersSubscribe

Latest News

travel nurse in north carolina
Balancing Speed and Scope: Choosing the Nursing Degree That Fits Your Goals
Nursing
September 1, 2025
intimacy
How to Keep Intimacy Comfortable as You Age
Relationship and Lifestyle Senior Care
September 1, 2025
engineer fitting prosthetic arm
How Social Security Disability Shapes Access to Care and Everyday Health
Health care
August 20, 2025
a woman explaining the document
How a DUI Lawyer Can Help When Your Future Health Feels Uncertain
Public Health
August 20, 2025

You Might also Like

Social Media in Health Care: The Genie is out of the Bottle

May 9, 2011
Image
Mobile Health

High Quality, Low Cost HealthCare Video Interview Series: Lawrence Cheskin, MD, FACP Talks About TRIMM

March 12, 2013

Join Me at WWHI’s “Discussion with the FDA” on April 28th at Second Health Care Innovation Day (HCI-DC)

April 13, 2011
eHealth

By Regina

November 19, 2012
Subscribe
Subscribe to our newsletter to get our newest articles instantly!
Follow US
© 2008-2025 HealthWorks Collective. All Rights Reserved.
  • About
  • Contact
  • Privacy
Welcome Back!

Sign in to your account

Username or Email Address
Password

Lost your password?