Header graphic for print
HIPAA, HITECH & HIT Legal Issues, Developments and Other Pertinent Information Relating To The Creation, Use and Exchange of Electronic Health Records

Business Associate Breach Leads to $2.5M Settlement by Accretive: But Who is the Covered Entity or Business Associate Here, and Do We Care?

Posted in HIPAA Enforcement

Attorney General Lori Swanson of Minnesota (“AG”) issued a press release reporting that Accretive Health, Inc. (“Accretive”), the defendant in an action filed by the AG in U.S. District Court alleging violations of HIPAA, HITECH, the Minnesota Health Records Act, and the Minnesota consumer protection laws, signed a Settlement Agreement, Release and Order on July 30, 2012 (“Settlement Agreement”). The Settlement Agreement recites:

[R]ecognizing that unique circumstances exist in Minnesota in light of the Attorney General’s Agreement with Minnesota charitable hospitals … Accretive Health … has decided to wind down its remaining work for Minnesota Clients …

 

(other than its continuation of prior technology licensing agreements). The Settlement Agreement also requires Accretive  to pay the AG nearly $2.5 million within 15 days of the Settlement Agreement’s effective date. The funds may be distributed to patients at the discretion of the AG, used for settlement administration, and/or remitted to the State Treasury.

 

Previous posts to this blog have reported on the AG’s action against Accretive, and on the need for entities or individuals sharing Protected Health Information (‘PHI”) to identify the roles, rights, and obligations of the parties. Michael Kline’s recent blog reported on a breach involving more than 500 individuals included on the list maintained by the U.S. Department of Health and Human Services (the “HHS List”), highlighting the summary provided by the Office of Civil Rights (“OCR”). Michael noted that the OCR summary implies that OCR expects a covered entity (“CE”) contracting with a business associate (“BA”) to verify that the BA is “not an independent” CE.  

 

Identifying the roles of the parties and the context in which PHI is disclosed is critical because different information-sharing standards apply depending on these roles and circumstances. For example, a business associate agreement (“BAA”) is not required for disclosures made within a CE for treatment, payment, or health care operations, nor is a BAA required for PHI to be disclosed from one CE to another CE where the recipient CE is a health care provider and the PHI is being disclosed for treatment purposes.

 

However, if the recipient CE is a health care provider, but is receiving the PHI as a BA (generally defined as a person or entity that performs functions or activities on behalf of another person that is a CE, which involves the use or disclosure of PHI), a BAA is required and it must, among other things, “establish the permitted and required uses and disclosures” of the PHI (though failure to execute a BAA will not absolve the BA of its responsibilities and liabilities under HIPAA and HITECH). In addition, while most uses and disclosures of PHI must be limited to the “minimum necessary,” current regulations do not restrict disclosures to or requests by a CE that is a health care provider to the “minimum necessary” when the disclosure or request is for treatment of a patient. A CE can use or disclose PHI for “payment” activities, but must comply with the “minimum necessary” standard.  If the “payment” activity involves disclosure to a consumer reporting agency, the CE may only disclose specified information (name/address, date of birth, social security number, payment history, account number, and the name and address of the CE). 

 

The Accretive case was triggered by an alleged PHI breach (the all-too-frequent loss of a laptop containing sensitive information about 23,500 patients treated at two hospitals that had contracted with Accretive), but the AG’s allegations were most scathing where they painted a picture of insidious and inappropriate sharing and use of PHI between hospitals and Accretive.  The AG alleged that Accretive’s “Quality and Total Cost of Care” services used “data mining,” “consumer behavior modeling,” and “propensity to pay” algorithms.  Accretive allegedly “amasse[d] and ha[d] access to a high volume of sensitive and personal information,” which it used, among other things, to create “per patient risk score” calculations, yet the hospitals’ patient authorization forms allegedly failed to disclose the scope or breadth of the PHI that the hospitals would share with Accretive.

 

In addition to this questionable and seemingly surreptitious “behind the scenes” PHI-sharing, Accretive staff allegedly interfaced directly with patients seeking treatment at the hospitals, often appearing to be members of the hospital’s staff.  Jessica Silver-Greenberg, reporting on the Settlement Agreement in the New York Times, describes allegations of aggressive collection tactics taken by Accretive that involved requesting payment from patients seeking emergency care. 

Whether a clear delineation of the role of Accretive as a BA and/or restriction of PHI disclosed to Accretive to the “minimum necessary” would have prevented the AG’s action is unclear. However, the Accretive case provides a good example of how the blurring of the CE and BA roles can backfire on parties that fail to sufficiently analyze and define such roles, not only at the outset of a relationship but throughout its duration and evolution.