Rachel Grunberger and Dena Feldman write:
Earlier this month, the federal district court in Minnesota dismissed a lawsuit brought earlier this year by the Minnesota Attorney General (AG) against Accretive Health, Inc., a business associate of hospitals, after the parties reached a settlement. In the lawsuit, which we previously discussed here, the Minnesota AG alleged that the company violated various provisions of HIPAA as well as Minnesota privacy and consumer protection law.
Accretive Health had contracted with two Minnesota hospitals, primarily to perform services related to debt collection and “care coordination” services. Through these services, Accretive required access to protected health information of the hospitals’ patients, and thus was acting as a business associate under HIPAA. The Minnesota AG’s case was notable because it was the first time that an enforcement action had been brought against a HIPAA business associate since the enactment of the HITECH Act in 2009, which imposed direct obligations on business associates to comply with certain HIPAA requirements, including breach notification and provisions of the HIPAA Security Rule.
Read more on Covington & Burling InsidePrivacy.