In February, we alerted you to the first HIPAA enforcement action taken against a business associate. The action was pursued by the Minnesota Attorney General against Accretive Health, a service provider that was involved in a security breach affecting patients of two hospitals that engaged Accretive to provide debt collection and other services. The resultant lawsuit by the AG pursued claims related to questionable debt collection practices, but also included multiple alleged HIPAA violations, as detailed in our earlier alert. Without admitting any of the allegations, Accretive Health has just agreed to settle this lawsuit on the following terms:

At least one of the three hospitals in the State that engaged Accretive Health ended its relationship with the company before any settlement was reached, and Accretive Health’s vice president and corporate controller resigned. The Attorney General’s office has also referred evidence in the form of patient affidavits it collected in its investigation of this matter to the Centers for Medicare and Medicaid Services for potential enforcement actions under the federal Emergency Medical Treatment and Active Labor Act against the hospitals formerly doing business with Accretive Health.

This settlement serves as a reminder that both federal and state HIPAA activity is increasing markedly, and covered entities and business associates should take steps to evaluate or improve compliance.

Elizabeth Johnson, an attorney no longer with Poyner Spruill, was the original author of this article.

◀︎ Back to Thought Leadership