Accretive Health, the former bill collector for Fairview Health Service in Minnesota, has agreed to pay a $2.5 million fine and leave the state as part of a settlement of a federal lawsuit brought by state Attorney General Lori Swanson.
A federal judge approved the settlement late Monday. The case against Chicago-based Accretive attracted national attention with allegations of repeated privacy breaches and abusive collection tactics, such as approaching patients in emergency rooms for payment.
Swanson, who filed the lawsuit in January, says justice was served.
"A hospital emergency rooms is a high stress place -- of trauma, of suffering," Swanson said in a press conference. "It should be a solemn place, not a place to shake down patients for money. It's good to close the door for Minnesota on this really disturbing chapter in our health care history."
Even though Accretive signed on to the settlement, the company shot back in what has been a fiery war of words.
"The attorney general rebuffed us and bushwacked us; told us she would meet with us," Accretive attorney Joe Anthony said. "We turned over 100,000 documents to her in the spirit of cooperation. And then what she did was she made them publicly available. That's just not the kind of straightforward behavior that Minnesotans expect from their attorney general. And that's what happened to us. In this environment, who wants to do business here?"
The settlement requires Accretive to do several things:
- create a patient restitution fund of nearly $2.5 million, with any funds remaining going to the state treasury;
- hand over all data about Minnesota patients treated at Twin Cities hospitals that contracted with Accretive;
- wind down operations in Minnesota by November and stay away for six years unless the attorney general approves.
Accretive has maintained that Swanson's actions cost more than 100 Minnesota jobs. But Swanson called that "an absurd comment" saying that Accretive tells investors it makes money by outsourcing jobs to India.
Swanson alleged Accretive was lax about securing sensitive patient information. She said a laptop containing more than 23,000 Fairview and North Memorial patient information records was stolen out of an Accretive employee's rental car.
The settlement comes at a time when Congress and the Obama administration have beefed up medical privacy laws and enforcement of those provisions.
In 2009, Congress gave state attorneys general such as Swanson the power to sue over violations of federal privacy protections. The federal Department of Health and Human Services has even been training the state prosecutors.
Accretive ran afoul of another provision of federal privacy laws. Lawmakers expanded responsibility for medical privacy from hospitals and health plans to their subcontractors like Accretive. University of Minnesota law professor Bill McGeveran says that's a huge change.
"It makes those kinds of subcontractors directly responsible to follow the rules themselves," McGeveran says. "Now they're needing to answer not just to their clients, like the hospitals that hire them, but to the government about privacy and security arrangements."
Swanson alleged that Accretive and North Memorial Hospital shared patient data for six months without a legally required agreement on securing data and then created a backdated one to cover the omission.
The Obama Administration has also stepped up enforcement of medical privacy laws, according to Washington D.C. attorney Arianne Callender.
Callender was a senior lawyer in the Office of Inspector General to the U.S. Department of Health and Human Services. She says about a year ago, the agency's internal watchdog issued a highly critical report on the department's lax enforcement of patient privacy laws.
"They're under a microscope right now," Callender said. "So I think that's why we're seeing more privacy breach settlements and cases coming down the pike."
Last month, Alaska agreed to pay a $1.7 million fine and to establish a three-year corrective action plan when a USB hard drive "potentially containing electronic protected health information" was stolen out of an employee's car.
In that case, the office of civil rights found Alaska lacked adequate policies and procedures to safeguard patient information. But Alaska's Health and Social Services commissioner disputed those findings and said the state admitted no liability but that the settlement and cap was a way to "avoid costly and protracted litigation."
Three other medical centers or insurers have recently paid fines approaching or exceeding $1 million, as well. In March, BlueCross BlueShield of Tennessee agreed to pay the U.S. Department of Health and Human Services $1.5 million to settle violations, after 57 unencrypted computer hard drives were stolen from a leased facility in Tennessee. The drives contained the protected health information of more than 1 million individuals.
Other government settlements for violating patient privacy laws include:
- UCLA Health Systems, which agreed to pay $865,000 in 2011, after unauthorized employees viewed electronic medical records of celebrities;
- Massachusetts General Hospital for $1 million, after an employee left 192 patient medical files on a subway train. Those files were never recovered.
Efthimios Parasidis, a health law professor at St. Louis University says the privacy regulations are far from detailed and many are waiting for official guidance from HHS. But he says Minnesota's case against Accretive was not premature.
"We've learned from other areas of government regulation and other agencies, guidance can take decades to come down," Parasidis said. "And if we wait for guidance. We're going to be living in a world where patients aren't having the protection that the law actually provides them."
This story is part of a reporting partnership that includes Minnesota Public Radio News, NPR and Kaiser Health News.