In what appears to be the first action of its kind, Minnesota’s Attorney General recently filed a lawsuit against a business associate of a health care provider for failing to adequately safeguard patients’ protected health information (PHI). According to the lawsuit, an employee of Accretive Health, Inc. lost a laptop containing unencrypted sensitive health data from thousands of Minnesota patients. The laptop, which was stolen from the backseat of a rental car (where it had been left by the employee) contained detailed personal information, including names, social security numbers, and medical histories, of at least 23,531 patients of two Minnesota hospital systems.
Accretive, a debt collection agency that is part of a New York private equity fund conglomerate, had control of such data because it contracted with the hospital systems to control the management and operations of their “revenue cycles,” including scheduling, registration, admissions, billing, collections, and payment functions. As part of those functions, Accretive accessed the hospital patients’ PHI for “data mining” and “consumer behavior modeling.”
Congress passed the HITECH (Health Information Technology for Economic and Clinical Health) Act as part of the American Recovery and Reinvestment Act of 2009. Among other things, HITECH extends HIPAA requirements to “business associates,” such as Accretive, who are granted access to PHI compiled by covered entities like the two hospitals with which Accretive contracted. HITECH also significantly increased the amount of civil monetary penalties that can be imposed by the federal government for violations of HIPAA: for example, HITECH increases the maximum penalty for all violations of an identical provision from $25,000 to $1.5 million. And an entity that violates HIPAA can no longer avoid the imposition of a civil monetary penalty by merely demonstrating that it was unaware of the violation — under HITECH, the entity can only avoid the monetary penalties if it corrects the violation within 30 days of discovery, and if the violation was not the product of willful neglect.
The Minnesota Attorney General’s lawsuit, filed on January 19, 2012, alleges that Accretive violated state and federal health privacy laws, including HIPAA, as well as state debt collection and consumer privacy laws. In addition to alleging HIPAA violations for losing the laptop with the PHI, the lawsuit also alleges that Accretive violated state law by failing to disclose to patients the extent to which it utilized their PHI. Among other things, the lawsuit seeks an order directing Accretive to fully disclose the details of its use of PHI, an injunction restricting Accretive’s future use of PHI, and statutory penalties under HIPAA and state laws.
In particular, the lawsuit alleged that Accretive violated HIPAA by, among other things:
(1) failing to implement policies and procedures to prevent, detect, contain and correct security violations;
(2) failing to implement policies and procedures to prevent unauthorized members of its workforce from obtaining access to PHI;
(3) failing to effectively train all members of its workforce on the policies and procedures with respect to PHI;
(4) failing to identify, respond to, and mitigate suspected or known security incidents;
(5) failing to implement policies and procedures to limit physical access to its electronic information systems;
(6) failing to implement policies governing the receipt and removal of hardware and electronic media containing electronic PHI; and
(7) failing to implement technical policies and procedures that ensure access to electronic PHI only to those persons that have been granted such access.
As this lawsuit illustrates, covered entities and their business associates must act proactively to protect PHI. Under HITECH, the consequences of a failure to implement effective policies can be particularly harsh.
If you have questions about these or other legal issues, please contact member of our Health Law group call 208.344.6000.