Accretive Health, Inc., a company providing medical billing and revenue management services to hospitals throughout the US. Accretive "has agreed to settle Federal Trade Commission charges that its inadequate data security measures unfairly exposed sensitive consumer information to the risk of theft or misuse." This settlement follows a settlement between Accretive and the Minnesota Attorney General for HIPAA violations.
The lawsuit also asked "Accretive to disclose whether it has sent health data about Minnesota patients to its so-called 'Shared Services Blended Shore Center of Excellence' in New Delhi, India." Unlike previous State AGs that sought to take action against those who lost patient data, the Minnesota AG relied, at least in part, on the authority grated to state AGs by the HITECH Act to take enforcement action against covered entities and business associates that violated the HIPAA Privacy and Security Rules. [3] This case was also the first example of an enforcement action against a business associate. The case came to end in July 2013, when Accretive settled wit the Minnesota AG. Compared to the settlements often entered into by the HHS Office of Civil Rights, the Minnesota AG settlement was relatively harsh. Under the settlement, Accretive agreed to "cease all operations in Minnesota within ... 90 days, or by November 1, 2012. The company [was] then be subject to an outright ban on operating in Minnesota for two years, after which, for the next four years, it can only reenter the State if the Attorney General agrees to a Consent Order regarding its business practices in the State." [4] The FTC Action The FTC Action against Accretive stems from the same incident: the loss of the unencrypted laptop. The FTC brought an action on its enforcement authority under the Section 5 of the FTC Act, prohibits "unfair or deceptive acts or practices in or affecting commerce." [5] In the Complaint, the FTC alleged the following violations: Until at least July 2011, Accretive failed to provide reasonable and appropriate security for consumers' personal information it collected and maintained by engaging in a number of practices that, taken together, unreasonably and unnecessarily exposed consumers' personal data to unauthorized access. Among other things, Accretive Health created unnecessary risks of unauthorized access or theft of personal information by:The behaviors that the FTC identifies as creating "unnecessary risks of unauthorized access or theft" generally align with the types of behaviors that the Office of Civil Rights finds problematic.a. Transporting laptops containing personal information in a manner that made them vulnerable to theft or other misappropriation; Excerpts from the FTC Consent Order In the Consent Order, the FTC sets forth a number of requires Accretive must undertake: [E]stablish and implement, and thereafter maintain, or continue to maintain a comprehensive information security program reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers. Such program ...shall contain administrative, technical, and physical safeguards appropriate to respondent's size and complexity, the nature and scope of respondent's activities, and the sensitivity of the personal infonnation collected from or about consumers, including:(1) The designation of an employee or employees to coordinate and be accountable for the information security program; The FTC's consent order mirrors some of the HIPAA requirements, including, for example, undertaking a risk assessment, develop appropriate measures to address issues identified in the risk assessment, and designate a responsible individual. But, this Order also imposes additional requirements with respect to subcontractors that are beyond what is required by HIPAA, in that the Order requires for the "development and use of reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they receive from" Accretive. Under HIPAA business associates are only required to obtain "reasonable assurances" in the form of a written agreement. As such, the FTC's language seems to suggest a requirement of more than a written agreement. Like other FTC orders, this one too is in effect for a period of 20 years. Where is the Office of Civil Rights? The Office of Civil Rights (OCR) is unlikely to take any action against Accretive as a result of the data breach. Part of the reason that the HITECH Act specifically extended enforcement authority over business associates was to overcome an interpretation released by the Department of Justice many years ago that HHS lacked direct enforcement authority over business associates. Leon Rodriguez, the Director of OCR, has previously stated that the OCR will not be taking enforcement actions against business associates until after HHS releases the revised HIPAA Rules (revised pursuant to HITECH) and the Rules come into effect. The HIPAA Omnibus Rule was not released until January 2013 and the compliance period came into effect in September 2013. But, the Accretive breach happened in July 2011. This may explain why the FTC Order tracks HIPAA so closely. There are a number of legal take-a-ways from the FTC's latest action.
Similar to the recent action by OCR against Adult & Pediatric Dermatology, P.C., a dermatology practice delivering services in Massachusetts and New Hampshire, this is another breach that could have been avoided with the use of encryption on portable devices, including laptops. ----------------- [1] Press Release, Minnesota Attorney General, Attorney General Swanson Sues Accretive Health for Patient Privacy Violations: Debt Collector Lost Laptop Containing Sensitive Data on 23,500 Minnesota Patients, https://www.ag.state.mn.us/consumer/pressrelease/120119accretivehealth.asp (last visited Jan. 2, 2014). [2] Id. [3] Complaint, State of Minnesota by its Attorney General Lori Swanson v. Accretive Health, Inc., Civil File No. ___ (D. Minn. Jan. 19, 2012) ("Count 1: Violations of HIPAA. Accretive is business associate of both Fairview and North Memorial as defined in HIPAA. See, e.g., 45 C.F.R. § 160.103. Because HITECH Section 13401 (42U.S.C. § 17931) provides that 45 C.F.R. §§ 164.308, .310, .312 and .316 apply to a business associate of a covered entity in the same manner as they would to a covered entity, Accretive is thus subject to the security provisions contained within HIPAA as well as applicable civil and criminal penalties.") [4] Press Release, Minnesota Attorney General, Attorney General Swanson Says Accretive Will Cease Operations in the State of Minnesota Under Settlement of Federal Lawsuit, Cannot Reenter Minnesota For Six Years Without Attorney General’s Agreement, https://www.ag.state.mn.us/consumer/pressrelease/07312012accretiveceaseoperations.asp (last visited Jan. 2, 2014). [5] In the Matter of Accretive Health, Inc., FTC Complaint, Docket No. ___ (File. no. 122 3077) (Dec. 31, 2013), available at https://www.ftc.gov/enforcement/cases-and-proceedings/cases/122-3077/accretive-health-inc. [6] Id. at para. 6 [7] In the Matter of Accretive Health, Inc., FTC Order, Docket No. ___ (File. no. 122 3077) (Dec. 31, 2013), available at https://www.ftc.gov/enforcement/cases-and-proceedings/cases/122-3077/accretive-health-inc. FTC's Press Release - https://www.ftc.gov/news-events/press-releases/2013/12/accretive-health-settles-ftc-charges-it-failed-adequately-protect. |