Accretive Health, which was behind the patient data breach announcement by two hospitals in September 2011 has had their debt collection license temporarily suspended. The company admitted that it had failed to use data encryption on a laptop stolen in July 2011. Using encryption software like AlertBoot was company policy at the time of the breach.
Sued by AG
The Minnesota Attorney General has sued Accretive Health for “violating health privacy laws and state consumer protections,” according to startribune.com. State AGs now have the power to pursue HIPAA violations, as we’ve seen before: for example, the Connecticut AG went after Health Net, as did the Arizona AG, when Health Net was involved in a breach affecting 1.9 million patients (ranked #3 in HIPAA breach history so far).
The MN AG took exception that a debt collector was in possession of PHI, protected health information:
Why should anyone other than a doctor have such basic and personal and intrusive information about a patient?” [Minnesota Attorney General Lori] Swanson said at a news conference in her State Capitol office.
Her lawsuit, filed Thursday [January 19, 2012] in U.S. District Court, seeks an order requiring Accretive to inform Minnesota patients what information it has, how it has been used and where it has been sent.
“No corporation, especially a debt collector, should secretly slice and dice patients’ medical statistics in such a way without … full disclosure to patients,” Swanson said. [startribune.com]
Furthermore, the AG charged that Accretive had concealed “from patients the extent of its involvement in their health care.” It is alleged that Accretive “at times masked its true identity during collection calls and has not complied with all disclosure and registration requirements.”
One thing that puzzles me: so far, neither of the hospitals that were involved in the data breach have been sued by the AG. If the ownership of patient data by debt collectors is outrageous, isn’t it just as outrageous that medical organizations gave this information to the debt collector?
License Revoked by Commerce Department
The Minnesota AG’s allegations have prompted the Commerce Department to conduct its own investigation. In the meantime, it has also revoked Accretive’s collections license for 20 days, possibly longer, filed a cease-and-desist order, ordered the disclosure of debt collectors who’ve contacted Minnesotans, and ordered the company to turn all written documents used to collect debt in MN.
I had gone into the story thinking that all of the above — the suit, the revocation of licenses — stemmed from the fact that Accretive had failed to use laptop encryption, which seemed a bit excessive As it turns out, the issue goes well beyond HIPAA. At least, allegedly. I’ve known for a long time that the use of computer encryption can prevent a can of worms from opening, but this one takes the cake.