The West Virginia Record reports the filing of a medical record breach action against West Virginia University Medical Corporation dba University Health Associates (UHA) under the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The action filed in Monongalia Circuit Court was filed by Jennifer M. McGinley on behalf of Randy Friend (11-C-774).
The complaint asserts that Mr. Friend received a letter from UHA indicating that an employee had accessed his medical record without authorization. Mr. Friend claims that his medical record was accessed multiple times by a former UHA employee and that this former employee related the medical information to several other people living in Mr. Friend’s community causing him emotional distress and embarrassment.
Also, Jeff Drummond at the HIPAA Blog reports on an interesting lawsuit filed by the Minnesota AG against Accretive Health in Minnesota. The action involves Fairview Health and North Memorial who hired Accretive Health as its debt collection company. Accretive Health lost an unencrypted laptop with medical and other personal information. As Jeff indicates this has some interesting aspects including the question of direct liability of a business associate under the HITECH amendments to HIPAA and also whether the covered entities only disclosed the “minimum necessary” information to its debt collection company. Interesting case to watch develop.
UPDATE: The complaint filed in the United States District Court District of Minnesota, State of Minnesota, by its Attorney General Lori Swanson v.Accretive Health, Inc.