In February, we alerted you to the first HIPAA enforcement action taken against a business associate. The action was pursued by the Minnesota Attorney General against Accretive Health, a service provider that was involved in a security breach affecting patients of two hospitals that engaged Accretive to provide debt collection and other services. The resultant lawsuit by the AG pursued claims related to questionable debt collection practices, but also included multiple alleged HIPAA violations, as detailed in our earlier alert. Without admitting any of the allegations, Accretive Health has just agreed to settle this lawsuit on the following terms:
- Accretive Health will pay $2.5 million to the State of Minnesota as part of a restitution fund to compensate affected patients.
- By November 1 of this year, Accretive Health must cease operations in Minnesota for a two-year period, thereby cutting off $23-25 million in projected annual revenues for the company. It must also destroy or return all health and financial information of its Minnesota clients within 60 days of closing its operations in the State and pay a consultant to verify this action has been taken.
- If Accretive Health wants to do business in Minnesota after its two-year exclusion period, it must first procure the consent of the State’s Attorney General, and will be subject to their oversight for four years.
At least one of the three hospitals in the State that engaged Accretive Health ended its relationship with the company before any settlement was reached, and Accretive Health’s vice president and corporate controller resigned. The Attorney General’s office has also referred evidence in the form of patient affidavits it collected in its investigation of this matter to the Centers for Medicare and Medicaid Services for potential enforcement actions under the federal Emergency Medical Treatment and Active Labor Act against the hospitals formerly doing business with Accretive Health.
This settlement serves as a reminder that both federal and state HIPAA activity is increasing markedly, and covered entities and business associates should take steps to evaluate or improve compliance.