Last month, the Minnesota Attorney General filed a lawsuit in federal court against Accretive Health, Inc. alleging that the company violated various provisions of HIPAA as well as Minnesota consumer privacy and protection law. Although HIPAA-covered entities have been the subject of enforcement actions by state AGs and the Department of Health and Human Services, this marks the first time that an enforcement action has been brought against a HIPAA business associate.
Accretive had partnered with two Minnesota hospitals to deliver “revenue cycle operations” services, including scheduling, registration, admissions, billing, collection and payment functions. For one of the Minnesota hospitals, Accretive also performed “care coordination” services. Because both the revenue cycle and care coordination services required the hospitals (HIPAA-covered entities) to disclose protected health information (PHI) to Accretive, Accretive qualifies as a “business associate” under HIPAA, and therefore must comply with certain HIPAA requirements or face civil or criminal penalties.
The Incident
The Minnesota AG’s allegation that Accretive violated HIPAA stems from an incident in July 2011, when the laptop of an Accretive employee was stolen out of the back of his rental car in Minneapolis. According to the complaint, the laptop contained PHI of approximately 24,000 patients, including each patient’s name, address, phone number, social security number, and whether the patient had any of 22 listed conditions (including HIV, bipolar disorder, schizophrenia, depression, high blood pressure, seizure disorder, etc.). The complaint alleges that the laptop was password protected, but the data were not encrypted. The complaint further claims that Accretive notified approximately 17,000 patients from the two hospitals about the incident, but a computer expert from one of the hospitals later discovered the PHI of an additional 7,000 patients, whom Accretive had not notified of the breach.
The Minnesota AG alleges that the company breached its obligations under HIPAA to use appropriate safeguards to prevent the misuse or disclosure of PHI, to adequately train its employees, to use appropriate administrative, technical, and physical safeguards to protect PHI, and to adequately identify and respond when PHI was compromised. In all, the complaint lists eight separate violations of HIPAA. The complaint also alleges various violations of state law, alleging that Accretive violated the Minnesota Health Records Act, the Minnesota Prevention of Consumer Fraud Act and Uniform Deceptive Trade Practices Act, and Minnesota Debt Collection Law.
The complaint seeks a preliminary and permanent injunction preventing Accretive from violating federal and state privacy laws, statutory damages, costs of the action, and attorneys’ fees. Furthermore, the complaint seeks an order requiring Accretive to disclose to patients the data it has about them and where and how such data is stored.
Business Associates Beware
The HITECH Act, enacted in 2009, expanded the authority to bring a civil HIPAA action to state Attorneys General, where previously only the federal government could bring such a claim, and expanded civil liability to business associates. So far, the AGs of Vermont and Connecticut have brought civil HIPAA claims against covered entities in their States. However, this action by the Minnesota AG marks the first time that an enforcement action has been brought against a business associate. HHS has yet to bring a HIPAA action against a business associate, and is still in the process of promulgating final HITECH regulations (expected in March). Thus, the Minnesota AG’s action should put all companies that may potentially qualify as “business associates” under HIPAA on notice that it is vitally important that they ensure their companies’ operations are in compliance with HIPAA requirements.