By Rachel Grunberger and Dena Feldman
Earlier this month, the federal district court in Minnesota dismissed a lawsuit brought earlier this year by the Minnesota Attorney General (AG) against Accretive Health, Inc., a business associate of hospitals, after the parties reached a settlement. In the lawsuit, which we previously discussed here, the Minnesota AG alleged that the company violated various provisions of HIPAA as well as Minnesota privacy and consumer protection law.
Accretive Health had contracted with two Minnesota hospitals, primarily to perform services related to debt collection and “care coordination” services. Through these services, Accretive required access to protected health information of the hospitals’ patients, and thus was acting as a business associate under HIPAA. The Minnesota AG’s case was notable because it was the first time that an enforcement action had been brought against a HIPAA business associate since the enactment of the HITECH Act in 2009, which imposed direct obligations on business associates to comply with certain HIPAA requirements, including breach notification and provisions of the HIPAA Security Rule.
The Minnesota AG’s HIPAA-related allegations arose out of a data breach, when the laptop of an Accretive Health employee was stolen out of his rental car. The laptop contained protected health information of approximately 24,000 patients, including individually identifiable information and whether the patient had any one of 22 health conditions. While the laptop was password protected, the data was not encrypted. The complaint alleged that Accretive Health violated eight separate provisions of HIPAA.
Late last month, the parties reached a settlement under which Accretive Health agreed to pay $2.5 million to the Minnesota AG’s office. The settlement also requires the company to cease all business operations in Minnesota for a period of two years. After the two-year ban, there begins a four-year period during which Accretive must seek permission from the Minnesota AG before it may resume business in the State. The court officially dismissed the action on August 7, 2012.
Although the Minnesota AG’s complaint included more serious allegations regarding the company’s debt collection practices in addition to the alleged HIPAA violations, the case underscores the importance for all companies that act as business associates to ensure that they are complying with HIPAA and the terms of their business associate agreements.