On January 19, 2012, Minnesota Attorney General Lori Swanson exercised her authority under the HITECH Act by filing a lawsuit against a business associate for the failure to protect protected health information ("PHI") and for the failure to disclose the extent to which PHI was utilized. The case alleges that Accretive Health, Inc. ("Accretive") lost a laptop containing unencrypted PHI of approximately 23,500 Minnesota patients. This represents the first case brought by a state attorney general under HIPAA, and serves as a warning call that entities are not immune from HIPAA state attorney general enforcement.
Accretive acts as a business associate to two Minnesota hospitals by providing various services, including revenue cycle operations management services. In this capacity, Accretive gathers PHI and quantifies 22 various medical conditions, including mental health conditions, HIV status and heart disease, to model patient behavior in an attempt to identify areas for cost-reduction.
The complaint alleges violations of HIPAA and various Minnesota state consumer protection laws. Specifically, the complaint alleges that in July 2011, an Accretive employee left an unencrypted laptop in a rental car overnight, and the laptop was then stolen. The laptop ultimately contained PHI about 23,531 patients. The complaint alleges that Accretive failed to initially identify and disclose the names of all of the patients whose PHI was contained on the lost laptop as approximately 6,000 additional affected individuals were disclosed only after one of the hospitals retained an independent forensic investigator. The complaint further alleges that Accretive violated HIPAA and the HITECH Act by failing to:
Implement policies and procedures to detect, contain and correct security violations;
Implement policies and procedures that address workforce member access to PHI;
Train agents and independent contractors as to how to respond to a data breach and how to properly handle PHI;
Identify, respond to and mitigate the harmful effects of a security incident;
Implement policies and procedures related to portable devices;
Implement technical policies and procedures for electronic information systems that maintain electronic PHI and limit access to workforce members; and
Implement policies and procedures to comply with the HIPAA Security Rule.
Attorney General Swanson is seeking a permanent injunction against Accretive as well as statutory damages for violations of HIPAA and various other Minnesota state laws. The penalties may range from $100 per violation to $50,000 per violation. Although the HITECH Act includes per violation caps, Accretive may be facing hundreds of thousands of dollars in potential statutory penalties.
This event serves as a reminder for covered entities, business associates and subcontractors to review policies and procedures for adherence to HIPAA and to ensure that workforce members have been properly trained as to how to protect PHI as well as how to quickly respond to a data breach.
For more information, please contact either of the lawyers listed on this alert or the member of the Proskauer Health Care Industry Group with whom you normally consult on these matters.