Minnesota Attorney General Lori Swanson has filed a civil lawsuit in federal court against HIPAA business associate Accretive Health, Inc. (“Accretive”) for alleged violations of HIPAA, Minnesota medical privacy law, and consumer debt collection practices laws. The lawsuit was filed in part through the powers granted to state attorneys general (“AGs”) under HITECH provisions that expanded the enforcement powers and civil penalties available for violations of HIPAA.
Accretive had been hired by two hospitals to perform revenue cycle management services, including scheduling, registration, admissions, billing, collection, and payment functions. These activities were performed by Accretive employees working on-site in various departments of the hospitals. The lawsuit followed the theft of an unencrypted, password-protected laptop from an Accretive employee’s car that contained the individually identifiable health information of approximately 17,000 to 23,000 patients.
The complaint alleges eight security violations of HIPAA, including Accretive’s failure to implement appropriate safeguards to protect patient data and adequately train members of its workforce. The complaint also alleges that Accretive’s failure to affirmatively disclose to patients the amount of health information they were collecting violated the Minnesota Prevention of Consumer Fraud Act and Uniform Deceptive Trade Practices Act. There is some concern that this action, if upheld, will result in state law obligations requiring service providers to health care institutions to independently and affirmatively disclose their data collection practices to patients.
This case demonstrates the increasing interest on the part of state AGs to enforce HIPAA, as Connecticut and Vermont AGs also filed enforcement actions last year following health information breaches. It is the first time, however, that a formal HIPAA claim has been leveled against a business associate, as opposed to a HIPAA covered entity. Although the federal government can impose penalties of up to $1.5 million for HIPAA violations, the monetary penalties that can be imposed by state AGs are capped at $25,000 per calendar year for each provision violated. Given the limited HIPAA penalties available to state AGs, state enforcement actions will likely continue to be bundled with consumer protection and other state law claims that carry additional and enhanced penalties.
It is unlikely that the Department of Health & Human Services (“HHS”) will take enforcement actions against business associates in 2012 related to the privacy provisions that will be addressed in the final HITECH regulations (as of the date of this blog post, no specific month or day has been announced for publication of the final HITECH regulations though it is expected this year). To the extent HHS focuses enforcement activity on business associates it will likely be limited to the areas of data breaches and security rule violations. The recent state AG enforcement actions suggest that business associates should be mindful of compliance with the applicable HIPAA statutory provisions, document their HIPAA privacy and security compliance efforts and monitor compliance with their business associate contracts.