Swanson alleges [PDF] that Accretive lost a laptop featuring the unencrypted PHI of 23,531 Minnesota patients. Accretive Health provides two Minnesota hospitals with "debt collection, treatment coordination and revenue cycle management services". That provision involves Accretive collecting health information and quantifying over twenty medical attributes (eg HIV status, medical health conditions and heart conditions) in determining areas for cost-reduction. Quantification - the basis of much 'big medicine' - include measures of patient "frailty". The company provides contract negotiation assistance with insurers, receiving both a management fee and a percentage of savings from reductions in health care costs.
Accretive is alleged to have breached both HIPAA and Minnesota state debt collection and consumer protection statutes. The laptop went AWOL In a distibctly traditional way: an Accretive employee left the device laptop in a rental car overnight ... the next day there was no laptop. Swanson's complaint is that Accretive Health failed to initially identify and disclose the names of all of the patients on the device. The identity of approximately 6,000 additional individuals was disclosed only after one of the hospitals used an independent forensic investigator.
The Minnesota suit seeks statutory damages (up to US$50,000 per violation) on the basis that Accretive was in breach of the statutes by failing to -
Implement policies and procedures to detect, contain and correct security violations;In a nice example of bad practice the claim by Minnesota includes a screenshot sent by one of the hospitals to a patient who queried what personal information was on the missing laptop. Swanson indicates that -
Implement policies and procedures that address workforce member access to personal health information;
Train agents and independent contractors as to how to respond to a data breach and how to properly handle personal health information;
Identify, respond to and mitigate the harmful effects of a security incident;
Implement policies and procedures related to portable devices;
Implement technical policies and procedures for electronic information systems that maintain electronic personal health information and limit access to workforce members;
Implement policies and procedures to comply with the HIPAA Security Rule.
The screen shot has personal identity information, such as the patient’s name, address, date of birth, and Social Security number. It also includes a checklist to denote whether the patient has 22 different chronic medical conditions and, if so, the condition of the patient. The medical conditions on the “checklist” include three mental health conditions (depression, bipolar disorder and schizophrenia); HIV; lung conditions like asthma; heart disease like high blood pressure and chronic heart failure; neurological diseases like Parkinson’s and seizure disorders; and metabolic disorders like diabetes and hypothyroidism. The screen shot also includes numeric scores to predict the “complexity” of the patient and the probability of an inpatient hospitalization, and a box to describe the “frailty” of the patient.just the thing to encourage trust in the health service provider and its associate Accretive.
Minnesota seeks an order requiring Accretive to fully disclose to patients:
1) what information it has about Minnesota patients;The suit also asks Accretive to disclose whether it has sent health data about Minnesota patients to its so-called “Shared Services Blended Shore Center of Excellence” in New Delhi, India.
2) what information it has lost about Minnesota patients;
(3) where and to whom it has sent information about Minnesota patients; (4) the purposes for which it amasses and uses information about Minnesota patients.
The lawsuit further seeks an injunction that restricts how Accretive treats and uses patient data going forward and to hold Accretive accountable for its violations of state and federal health privacy laws, debt collection laws, and consumer fraud laws.