The Federal Trade Commission (FTC) recently announced a settlement with Accretive Health, Inc., a provider of medical billing and revenue management services to hospitals.  The FTC’s complaint alleged that Accretive failed to provide reasonable and appropriate security for consumers’ personal information, and this failure constituted an unfair act or practice in violation of Section 5 of the FTC Act.

The FTC’s allegations stemmed from a July 2011 incident in Minneapolis, Minnesota, which we described in previous posts.  An Accretive laptop containing over 600 files with information relating to 23,000 patients was stolen from an employee’s car.  The data on the laptop included sensitive personal and health information, such as patient names, billing information, diagnostic information, and Social Security numbers, which, accordingly to the FTC, was not necessary for the employee to perform his job.

Under the terms of the Dec. 31 settlement, Accretive must implement a comprehensive information security program and submit the program for evaluation every two years by a certified third party.  The settlement will be in force for the next 20 years.  The FTC will accept written comments on the proposed consent order until January 30, 2014, after which the Commission will rule on whether to finalize the consent order.

The FTC also sent a separate letter to Accretive regarding its debt collection practices in hospital emergency rooms and other sensitive hospital areas.  While noting that attempts to collect defaulted debts in such places raise serious consumer protection concerns, and that FTC staff did find evidence that Accretive engaged in unlawful debt collection practices in Minnesota, the FTC stated it would not recommend an enforcement action at this time.  One reason, according to the letter, was that the Minnesota Attorney General already banned Accretive from collection activity in Minnesota pursuant a $2.5 million settlement.

By Meena Harris and Caleb Skeath

  1. Data Breaches
  • Studies show increase.  Amidst a flurry of high-profile breaches during 2014, several studies confirmed that data breaches as a whole have risen significantly over the past few years.  The California Attorney General released a study showing a 28% increase in breaches in 2013 as compared to 2012.  Another study, which examined the volume of data breaches during the first quarter of 2014, found an increase of 233% compared to the same time period in 2013.
  • State laws.  In April, Kentucky became the 47th state to enact a data breach notification law.  Florida and Iowa each amended their data breach notification laws in 2014 to, among other changes, enhance regulator notification requirements.  California amended its data breach notice law to expand the types of information covered and to require certain companies to provide one year of free credit monitoring to affected individuals (although the statutory language on the latter point is subject to multiple interpretations).
  • Federal legislation.  Numerous data breach bills, including the Data Security Breach Notification Act of 2014 and the Personal Data Protection and Breach Accountability Act, were introduced in Congress, although none passed during 2014.  The Senate Judiciary Committee, the Senate Commerce Committee, and the House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade, among others, held hearings during 2014 to discuss the need to address data breaches and the possibility of enacting federal legislation.
  • Federal enforcement.  In the enforcement arena, the Federal Trade Commission (“FTC”), the Department of Health and Human Services (“HHS”), and state attorneys general pursued enforcement action during 2014 against companies that had suffered data breaches.  The Securities and Exchange Commission also announced in April that it would conduct over 50 cybersecurity examinations of publicly traded companies.  The Federal Communications Commission (“FCC”), for its part, levied a $10 million fine in October against two telecommunications carriers for exposing customer data, which represented the FCC’s first enforcement action in the wake of a data breach.
  • Continued attention in 2015.  Legislative interest in data breach issues has only increased in early 2015.  Since President Obama proposed national data breach legislation, additional data breach notification bills have been introduced in the House and Senate.  The House Subcommittee on Commerce, Manufacturing, and Trade also held a hearing on crafting a national data breach bill, debating the harm that should trigger notification obligations and the appropriate window for providing notifications.

Continue Reading Top 10 U.S. Privacy Developments of 2014

Earlier this month, the federal district court in Minnesota dismissed a lawsuit brought earlier this year by the Minnesota Attorney General (AG) against Accretive Health, Inc., a business associate of hospitals, after the parties reached a settlement.  In the lawsuit, which we previously discussed here, the Minnesota AG alleged that the company violated various provisions of HIPAA as well as Minnesota privacy and consumer protection law.

Accretive Health had contracted with two Minnesota hospitals, primarily to perform services related to debt collection and “care coordination” services.  Through these services, Accretive required access to protected health information of the hospitals’ patients, and thus was acting as a  business associate under HIPAA.  The Minnesota AG’s case was notable because it was the first time that an enforcement action had been brought against a HIPAA business associate since the enactment of the HITECH Act in 2009, which imposed direct obligations on business associates to comply with certain HIPAA requirements, including breach notification and provisions of the HIPAA Security Rule.

The Minnesota AG’s HIPAA-related allegations arose out of a data breach, when the laptop of an Accretive Health employee was stolen out of his rental car.  The laptop contained protected health information of approximately 24,000 patients, including individually identifiable information and whether the patient had any one of 22 health conditions.  While the laptop was password protected, the data was not encrypted.  The complaint alleged that Accretive Health violated eight separate provisions of HIPAA.

Continue Reading Court Dismisses Minnesota AG’s HIPAA Enforcement Action Against Business Associate Following Settlement

Last month, the Minnesota Attorney General filed a lawsuit in federal court against Accretive Health, Inc. alleging that the company violated various provisions of HIPAA as well as Minnesota consumer privacy and protection law.  Although HIPAA-covered entities have been the subject of enforcement actions by state AGs and the Department of Health and Human Services, this marks the first time that an enforcement action has been brought against a HIPAA business associate.   

Accretive had partnered with two Minnesota hospitals to deliver “revenue cycle operations” services, including scheduling, registration, admissions, billing, collection and payment functions.  For one of the Minnesota hospitals, Accretive also performed “care coordination” services.  Because both the revenue cycle and care coordination services required the hospitals (HIPAA-covered entities) to disclose protected health information (PHI) to Accretive, Accretive qualifies as a “business associate” under HIPAA, and therefore must comply with certain HIPAA requirements or face civil or criminal penalties.

Continue Reading Minnesota AG Files First HIPAA Enforcement Action Against Business Associate