First State HIPAA Enforcement Action against a Business Associate Returns $2.5 Million Payout

more+
less-

[authors: Jessica M. Lewis ,Elizabeth H. Johnson]

In February, we alerted you to the first HIPAA enforcement action taken against a business associate.  The action was pursued by the Minnesota Attorney General against Accretive Health, a service provider that was involved in a security breach affecting patients of two hospitals that engaged Accretive to provide debt collection and other services.  The resultant lawsuit by the AG pursued claims related to questionable debt collection practices, but also included multiple alleged HIPAA violations, as detailed in our earlier alert.  Without admitting any of the allegations, Accretive Health has just agreed to settle this lawsuit on the following terms:

  • Accretive Health will pay $2.5 million to the State of Minnesota as part of a restitution fund to compensate affected patients.
  • By November 1 of this year, Accretive Health must cease operations in Minnesota for a two-year period, thereby cutting off $23-25 million in projected annual revenues for the company.  It must also destroy or return all health and financial information of its Minnesota clients within 60 days of closing its operations in the State and pay a consultant to verify this action has been taken.
  • If Accretive Health wants to do business in Minnesota after its two-year exclusion period, it must first procure the consent of the State’s Attorney General, and will be subject to their oversight for four years.

At least one of the three hospitals in the State that engaged Accretive Health ended its relationship with the company before any settlement was reached, and Accretive Health’s vice president and corporate controller resigned.  The Attorney General’s office has also referred evidence in the form of patient affidavits it collected in its investigation of this matter to the Centers for Medicare and Medicaid Services for potential enforcement actions under the federal Emergency Medical Treatment and Active Labor Act against the hospitals formerly doing business with Accretive Health.

This settlement serves as a reminder that both federal and state HIPAA activity is increasing markedly, and covered entities and business associates should take steps to evaluate or improve compliance.

 

 

Topics:  Attorney Generals, Data Breach, Debt Collection, Healthcare, Healthcare Professionals, HIPAA, Settlement

Published In: Administrative Agency Updates, Civil Remedies Updates, Health Updates, Privacy Updates, Science, Computers & Technology Updates

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Poyner Spruill LLP | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »