On January 19, 2012, Minnesota Attorney General Lori Swanson exercised her authority under the HITECH Act by filing a lawsuit against a business associate for the failure to protect protected health information (PHI) and for the failure to disclose the extent to which PHI was utilized. The case alleges that Accretive Health, Inc., a debt collection agency, lost a laptop containing unencrypted PHI of approximately 23,500 Minnesota patients. This represents one of the first cases brought by a state attorney general under HIPAA.
Accretive Health was formed as a “portfolio company” of Accretive, LLC, a private equity fund, and acts as a business associate to two Minnesota hospitals by providing debt collection, treatment coordination and revenue cycle operations management services. In this capacity, Accretive Health gathers PHI and quantifies 22 various medical conditions, including mental health conditions, HIV status and heart disease, to model patient behavior in an attempt to identify areas for cost-reduction. Accretive Health also assists one Minnesota hospital with Quality and Total Cost of Care services, in addition to revenue cycle operations management services. Accretive Health provides contract negotiation assistance with insurance companies, whereby, the hospitals will receive incentive payments for reductions in health care costs and Accretive Health receives a portion as well for the management of the overall process.
The complaint alleges violations of HIPAA and various Minnesota state consumer protection laws. Specifically, the complaint alleges that in July 2011, an Accretive Health employee left an unencrypted laptop in a rental car overnight, and the laptop was then stolen. The laptop ultimately contained PHI about 23,531 patients. The complaint alleges that Accretive Health failed to initially identify and disclose the names of all of the patients whose PHI was contained on the lost laptop as approximately 6,000 additional affected individuals were disclosed only after one of the hospitals retained an independent forensic investigator. The complaint further alleges that Accretive Health violated HIPAA and the HITECH Act by failing to:
- Implement policies and procedures to detect, contain and correct security violations;
- Implement policies and procedures that address workforce member access to PHI;
- Train agents and independent contractors as to how to respond to a data breach and how to properly handle PHI;
- Identify, respond to and mitigate the harmful effects of a security incident;
- Implement policies and procedures related to portable devices;
- Implement technical policies and procedures for electronic information systems that maintain electronic PHI and limit access to workforce members;
- Implement policies and procedures to comply with the HIPAA Security Rule.
Attorney General Swanson is seeking a permanent injunction against Accretive Health as well as statutory damages for violations of HIPAA and various other Minnesota state laws. The penalties may range from $100 per violation to $50,000 per violation. Although the HITECH Act includes per violation caps, Accretive Health may be facing hundreds of thousands of dollars in potential statutory penalties.