In perhaps the first widely publicized action taken against a "business associate" (as defined under the Health Insurance Portability and Accountability Act (HIPAA) and privacy and security regulations thereunder), the Minnesota Attorney General (AG) on January 19 filed a civil lawsuit in federal court against Accretive Health, Inc., for alleged violations of HIPAA, as well as alleged violations of that state's medical privacy law and consumer debt collection practices laws. Minnesota v. Accretive Health Inc., D. Minn., No. 12-145, filed January 19, 2012. The lawsuit arises from the loss by an Accretive employee of a laptop containing several thousand records that included the individually identifiable health information of patients from Accretive's hospital customers. The action is filed under the powers granted to state attorneys general under HITECH provisions that expanded the enforcement powers and civil penalties available for violations of HIPAA.
Accretive Health Inc., the business associate and defendant in the lawsuit, was engaged by two hospitals to perform revenue cycle management services, including a so-called "Quality and Total Cost of Care" service agreement that is alleged to have included intensive management of a hospital's entire revenue cycle process (from patient admissions and registrations, to care coordination, to back office collections of patient receivables), for a fee that included a share of "incentive payments" received by the hospital from payors in return for achieving certain cost savings and quality measures. According to the complaint, management of the hospitals' revenue cycles was performed through so-called "infused employees" of Accretive working on-site in various departments of the hospitals. The patient data was lost when a laptop containing data of approximately 17,000 to 23,000 patients allegedly was stolen from the back seat of a vehicle of an Accretive employee while parked at a local restaurant.
In the lawsuit, the AG alleges that the business associate failed to take adequate security precautions, such as encryption of the data on the lost laptop, to protect the patient information on the device. The information included patients' names, addresses, phone numbers, Social Security numbers and certain clinical information, including information related to chronic conditions such as mental health and HIV/AIDS conditions. Further, the AG alleges that the business associate violated the Minnesota Health Records Act and various state consumer fraud and deceptive practices acts by, among other things, failing to disclose to the hospital patients its extensive role in the hospitals' revenue cycle process, its role as a debt collector and its role in the proactive management of patient care, including the incentive payments based on the hospital's cost savings.
While the remedies available to the AG in this case under HIPAA and the HITECH Act are limited to $25,000 per year, compared to the $1.5 million that the federal government could impose for violations, the defendant in this case, if found to have violated the consumer protection and debt collection agency laws, could face significant financial liability and negative effects on its business reputation. This new enforcement action highlights not only the risks inherent in failing to protect patient data that leads to a privacy breach, but also reveals the underlying scrutiny that will be applied to a business associate's business practices as a result of a data breach. Following actions filed against covered entities in Connecticut and Vermont, this case may portend a new trend of enforcement against HIPAA business associates. Stay tuned...