Prosecutions involving breaches of protected health information under the Health Insurance Portability and Accountability Act (“HIPAA”) are becoming more frequent; we have noted recent civil settlements involving providers in Massachusetts and Alaska, as well as a criminal prosecution in California. The latest prosecution, and resulting settlement, illustrates a new twist: the focus of a data breach investigation can broaden beyond the data breach and expose providers to liability for business practices unrelated to the data breach.
Late last month, the Minnesota Attorney General’s Office announced a settlement with Accretive Health, Inc., a Chicago-based debt collector that had been managing the revenue collection operations of several Minnesota hospitals. Under the settlement, Accretive must cease all operations in Minnesota and pay $2.5 million to a restitution fund. Minnesota had been investigating Accretive after it had learned that a laptop, containing the protected health information of over 23,000 patients of two Minnesota hospitals, was stolen from the rental car of an Accretive employee in July 2011. The information on the laptop not only contained protected health information, such as the patients’ names, addresses, and Social Security numbers, but it also included Accretive’s proprietary analysis of each patient’s medical condition and likelihood of hospitalization. It was also revealed that another Accretive laptop, containing similar information from a Minnesota hospital, was stolen under similar circumstances a year earlier in July 2010, although Accretive did not report that theft to the Minnesota hospitals. The hospitals only learned of the first theft through anonymous tips received after the second theft was reported. The Attorney General filed a lawsuit in federal court claiming violations of HIPAA, and the Minnesota Health Records Act (Minn. Stat. § 144.291 et seq.). The lawsuit also claimed that Accretive violated Minnesota’s debt collection and consumer protection statutes for an alleged failure to disclose its status as a debt collector to patients.
While the Attorney General was probing Accretive’s data security practices, the office learned that Accretive was in the debt collection business and immediately broadened its investigation to those practices. As a result of this fresh investigation, the Attorney General amended the lawsuit to include allegations that Accretive engaged in illegal aggressive collection practices in hospital emergency rooms. Sworn affidavits from about 60 patients alleged that Accretive, or others acting under its control or supervision, asked patients, most of whom had insurance coverage, to pay money in the hospital emergency room before being treated. According to the Attorney General’s press release, affidavits were obtained from:
- “A mother who was taken from the side of her teenage daughter who tried to overdose on a bottle of pills, made to give a credit card in the middle of the night and pay $500 before she could return to her daughter’s bedside.”
- “A mother who had just given birth who was told that her newborn baby could not be discharged from the hospital unless she coughed up a credit card and paid $800. As it turns out, the mother overpaid and had to fight for months to get the $800 back.”
- “A pregnant mother who was asked to pay money in the emergency room in the midst of miscarrying her first baby.”
Accretive’s settlement, which has been approved by the federal district court, requires it to pay $2.5 million to the State of Minnesota for a fund providing restitution to affected patients, with any remainder going to the State’s treasury. Accretive must also cease its operations in Minnesota, return to its client hospitals all health information, and hire an independent auditor, approved by the Attorney General, to confirm that it has done so. Finally, the Minnesota Attorney General noted that since it cannot enforce the federal Emergency Medical Treatment and Active Labor Act (“EMTALA”)—which requires a hospital to treat and stabilize a patient experiencing a medical emergency before asking for payment—it has referred the patient affidavits to the U.S. Centers for Medicare and Medicaid Services.
While the nature of the data breach in the Accretive case underscores the need for providers to remain diligent in monitoring their responsibility to secure the protected health information of their patients, the case also demonstrates how data breach investigations become broader inquiries into practices that are unrelated to data security.