Accretive Health, Inc.’s legalissues continue to evolve as new allegations by Minnesota AttorneyGeneral LoriSwanson accuse Accretive of operating without a HIPAA-required business associate agreement (BAA) and then creating a back-dated agreement in response to litigation.
As we previouslyreported, Accretive, a Chicago-based health care consulting companyand debt collection agency, originally caught the attention of AttorneyGeneral Swansonwhen it was discovered that an unencryptedlap top computer with medical information of over 23,531 Minnesota patients wasstolen on or about July 25, 2011. This led torevelations suggesting that Accretive was engaged in improper collection activities in the emergency rooms of two Minneapolis-area hospitals, Fairview Health Systems and North Memorial Hospital,andengaging in bedside collection visits. It was thendisclosed that one or more officers ofFairviewhad family connections with employeesof Accretive. In January, Minnesota Attorney General Lori Swanson sued Accretive Health for violation of HIPAA, the HITECHAct, the Minnesota Health Records Act and various Minnesota consumer protectionand debt collection statutes.Perhaps the strangest twist occurred inMay when Chicago mayor Rahm Emanuel reportedly sent a letter to Swanson asking her to back off the litigation until he could arrange a meetingwithAccretive’s CEO. Swanson declined the suggestion.
Swanson now seeks to file a secondamended and supplemental complaint to add newfactual allegations. Specifically, Swanson alleges that at the time she requested documents in October of 2011, Accretive did not have a business associate agreement in place with North Memorial. Following the request, sheclaims that Accretive created one and made it look as if it had been signed on March 21, 2011.
The Attorney General acknowledges that it is the covered entity’s obligation to have a BAAin place before making protected health information available to a vendor, such as Accretive. However,the Attorney General argues that Accretive’s actions with respect to not having the BAA supports her claims that Accretive disregarded its HIPAAobligations. It would be surprising if a sophisticated health careprovider likeNorth Memorialhad not had implemented such a basic required document with a business associate like Accretive, to say nothing of the alleged "deception" as characterized by Swanson.
This caseis agood example of the growing propensity for state Attorneys General to engage in HIPAA enforcement actions as we have discussed.Regardless of how the legalsaga turns out, it is also a good reminder to have compliant business associate agreements in place as required by HIPAA.