Swanson’s Compliant Against Accretive Initially Focused on Violation of Federal Privacy Law
Accretive is a company for which the stated goal is to strengthen the financial position of health care providers. It contracts with hospitals to manage their revenue cycles and cut the cost of patient care. In the course of fulfilling its contractual obligations, Accretive gains access to the PHI of hospital patients and, as a business associate of covered entities, must comply with the HIPAA security provisions and certain privacy provisions.
In July 2011, a laptop was stolen from the rental car of an Accretive employee. Swanson alleged that the laptop was unencrypted and contained sensitive data on more than 23,000 patients. She further alleged that Accretive violated federal security laws by failing to encrypt electronic PHI (ePHI) on laptops, allowing employees to take the laptops containing ePHI out of hospital facilities, failing to effectively train its workforce members to maintain the security of PHI, and failing to identify and respond to the theft of PHI, among other violations.
In June 2012, Swanson amended her complaint to add that Accretive failed to execute a business associate agreement before receiving PHI, failed to implement security safeguards that could have protected the theft of the PHI, and gave its employees information that exceeds the minimum necessary information needed to perform their jobs. The case gained national prominence when Swanson added myriad allegations that Accretive violated several Minnesota state laws by, for example, engaging in deceptive, abusive, and aggressive collection practices.
State Attorney Used New Enforcement Authority and Business Associate Requirements Enacted Under HITECH
Pursuant to HITECH, business associates like Accretive are responsible for employing appropriate administrative, physical, and technical safeguards established under the HIPAA security rule and promptly reporting breaches of PHI to covered entities, to allow for the notification of individuals and the mitigation of any risk to individuals resulting from such breaches. Business associates also are responsible for complying with the minimum necessary standards set forth in HITECH.
HITECH also expanded the enforcement of HIPAA by granting authority to state attorneys general to bring civil actions and obtain damages on behalf of state residents for violations of HIPAA. In 2011, the Office for Civil Rights provided five regional training sessions to assist state attorneys general and their staff to implement this new authority.
Practical Advice for Covered Entities and Business Associates
The settlement illustrates that business associates, as well as covered entities, can face serious consequences for perceived violations of privacy laws. They should take all necessary steps to ensure compliance with applicable HIPAA privacy and security provisions. In light of the restrictive terms of this settlement, business associates and covered entities should consider the following recommendations:
Conclusion and Implications
Although Swanson’s lawsuit is the first example of a state attorney general using his or her new enforcement power against a business associate, this case could be an indication of many such lawsuits to come. The inclination of attorneys general in using this authority may vary from state to state, but, certainly, some others are likely to take similarly aggressive approaches to the enforcement of privacy and consumer protection laws. Moreover, as this case demonstrates, a privacy enforcement action may open the door to further allegations of wrongdoing. Going forward, it is important for businesses subject to these rules to take steps to protect against enforcement exposure and help ensure compliance.
Michael Scarano, Jr.
San Diego, California
Los Angeles, California
M. Leeann Habte
Los Angeles, California
Peter F. McLaughlin
Leigh C. Riley