On July 30, 2012, Minnesota Attorney General Lori Swanson announced a settlement agreement with Accretive Health (Accretive) resolving a lawsuit filed against Accretive in January 2012. The settlement requires Accretive to stop doing business in Minnesota for two years and to pay approximately $2.5 million to the State of Minnesota, a portion of which will be used to compensate patients.
The lawsuit alleged that Accretive violated several provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as modified by the Health Information Technology for Economic and Clinical Health (HITECH), as well as other state and federal laws. The case is significant because it represents the first enforcement action against a business associate under the new provisions of HITECH that makes business associates directly liable (rather than only contractually liable) for violations of HIPAA and, in particular, for breaches of Protected Health Information (PHI). (Although the attorney general alleged in the alternative that Accretive was a covered entity, it relied primarily on its status as a business associate.) The case also illustrates aggressive use of the enforcement authority granted by HITECH to state attorneys general.
Swanson’s Compliant Against Accretive Initially Focused on Violation of Federal Privacy Law
Accretive is a company for which the stated goal is to strengthen the financial position of health care providers. It contracts with hospitals to manage their revenue cycles and cut the cost of patient care. In the course of fulfilling its contractual obligations, Accretive gains access to the PHI of hospital patients and, as a business associate of covered entities, must comply with the HIPAA security provisions and certain privacy provisions.
In July 2011, a laptop was stolen from the rental car of an Accretive employee. Swanson alleged that the laptop was unencrypted and contained sensitive data on more than 23,000 patients. She further alleged that Accretive violated federal security laws by failing to encrypt electronic PHI (ePHI) on laptops, allowing employees to take the laptops containing ePHI out of hospital facilities, failing to effectively train its workforce members to maintain the security of PHI, and failing to identify and respond to the theft of PHI, among other violations.
In June 2012, Swanson amended her complaint to add that Accretive failed to execute a business associate agreement before receiving PHI, failed to implement security safeguards that could have protected the theft of the PHI, and gave its employees information that exceeds the minimum necessary information needed to perform their jobs. The case gained national prominence when Swanson added myriad allegations that Accretive violated several Minnesota state laws by, for example, engaging in deceptive, abusive, and aggressive collection practices.
State Attorney Used New Enforcement Authority and Business Associate Requirements Enacted Under HITECH
Pursuant to HITECH, business associates like Accretive are responsible for employing appropriate administrative, physical, and technical safeguards established under the HIPAA security rule and promptly reporting breaches of PHI to covered entities, to allow for the notification of individuals and the mitigation of any risk to individuals resulting from such breaches. Business associates also are responsible for complying with the minimum necessary standards set forth in HITECH.
HITECH also expanded the enforcement of HIPAA by granting authority to state attorneys general to bring civil actions and obtain damages on behalf of state residents for violations of HIPAA. In 2011, the Office for Civil Rights provided five regional training sessions to assist state attorneys general and their staff to implement this new authority.
Practical Advice for Covered Entities and Business Associates
The settlement illustrates that business associates, as well as covered entities, can face serious consequences for perceived violations of privacy laws. They should take all necessary steps to ensure compliance with applicable HIPAA privacy and security provisions. In light of the restrictive terms of this settlement, business associates and covered entities should consider the following recommendations:
- Examine their HIPAA security to make certain that their safeguards are adequate to prevent breaches of PHI and that their staff are adequately trained
- Review their privacy policies and ensure that they are complete, organized, and consistent with HIPAA, HITECH, and any state laws to which they are subject
- Verify that their actual practices regarding HIPAA privacy and security conform to the requirements of the written policies and procedures, and properly document their compliance
- Ensure that a business associate agreement has been executed before any PHI is transferred to a business associate
Conclusion and Implications
Although Swanson’s lawsuit is the first example of a state attorney general using his or her new enforcement power against a business associate, this case could be an indication of many such lawsuits to come. The inclination of attorneys general in using this authority may vary from state to state, but, certainly, some others are likely to take similarly aggressive approaches to the enforcement of privacy and consumer protection laws. Moreover, as this case demonstrates, a privacy enforcement action may open the door to further allegations of wrongdoing. Going forward, it is important for businesses subject to these rules to take steps to protect against enforcement exposure and help ensure compliance.