On September 28, 2011, Health Data Management reported an employee of Accretive Health, a Chicago-based revenue cycle management consultancy, left a laptop in a car containing information on approximately 14,000 patients at Fairview Health Services and 2,800 patients at North Memorial Health System. The laptop was stolen from the Accretive Health Associate’s automobile on July 25. The news was initially reported by the Minneapolis Star Tribune on September 27, 2011. The two healthcare Systems in the Minneapolis area have notified 16,800 patients about a breach of their protected health information following the theft.

This occurrence brings to light how important it is for providers to ensure their revenue cycle vendors sufficiently safeguard Protected Health Data and HIPAA information. Hospitals and Health Systems often overlook the risks taken by outsourcing their revenue cycle activities to vendors who may not employ the level of security and professional protocols to guard against a breach such as the one experienced by Accretive Health. I recommend to all providers who are considering outsourcing revenue cycle and patient collection activities to ensure their vendors have multiple layers of data protection.

Fairview Health Services patient’s now have to deal with the potential fallout of the release of their personal information, including names, addresses, dates of birth, account balances, some diagnostic information, dates of service and the insurance policyholder number or Social Security numbers into the public domain. Similar information was on the laptop for North Memorial patients, exempting Social Security numbers.

The Minneapolis Star Tribune reported a notification letter to all patients was sent by the providers notifying them that Accretive Health has policies to encrypt laptops in place, but the Accretive employee did not follow policy. Fairview contracted with the security firm ID Experts for remediation services, including patient notification, and the offering of 12 months of free identity theft protection and fraud monitoring services, and $20,000 of identity theft reimbursement if necessary, with Accretive Health paying for the services.

In today’s electronic age, we benefit from data, which can be easily accessed from computers and mobile devices. In turn, this data transparence, if under secured can result in catastrophic consequences if data is lost or stolen. If Hospitals and Health Systems don’t choose their revenue cycle vendors or any vendor that has access to PHI carefully, a single mistake by a vendor could cost millions in lost revenue and cloud a reputation of the provider for years to come.

There are qualified revenue cycle outsourcing and consultancy companies in the marketplace. When choosing a vendor to work with, I recommend to providers not to gloss over seemingly insignificant areas of vendor competency such as data security and make security a key determination in the vendor selection process.

To learn more about iSolutions IQ’s data security approach to protecting Patient Health Information, contact Phil C. Solomon at iSolutions IQ, www.isolutionsiq.com at psolomon@isolutionsiq.com.

Leave a Comment

Previous post:

Next post: