[ Friday, April 27, 2012 ]
I posted on the Accretive Health data breach
back in January. Accretive is a big "revenue management" company for hospitals; obviously, a big part of that business is actually turning accounts receivable into collections, which means they are, in fact, in the "debt collection" business.
Surprise, surprise, debt collectors try to collect debts, and get customers to pay for services they receive. Apparently, that's a crime in Minnesota.
On Tuesday, the NY Times published either a news article or a press release
from the Minnesota AG (it's really hard to tell which it is) on how Accretive works by subcontracting with hospitals, putting Accretive employees into the hospital workforce (probably like AdminiStaff does), and training hospital employees to "manage revenue" by asking for payment up front and/or after services are provided.
Of course, this has triggered the righteous outrage of all the right people. The Michigan AG
has apparently jumped on board, investigating Accretive since it works for several hosptial systems in Michigan. And none other than Pete Stark
has asked CMS to investigate as well.
The horror! The gall! Expecting people to pay for the services they receive!
In all fairness, Accretive's actions may (MAY) violate the Federal Fair Debt Collection Act (doubtful; it would've been explicitly stated in the press release/"news" story) or some state debt collection laws. Minnesota did cancel Acretive's debt collector license
, after all. And if the employees hindered any ER patient from getting emergency care (not primary care that they don't need to be in the ER for in the first place), then there might be a violation of EMTALA. I doubt it -- again, the Minnesota AG has been chewing on Accretive's hide for as long as a year now, and they'd have reported that part if it were the case.
Is there a HIPAA breach here? Covered entities (hospitals) and their business associates (debt collectors) have a right under HIPAA to use and disclose PHI for treatment, PAYMENT
, and healthcare operations. The covered entity disclosing the data to a debt collector (either an employee [a workforce member] or a contractor [a business associate]), and the debt collector using the data to discuss the debt with and try to get payment from the patient or a responsible party, is dead center of the definition of "payment."
The ONLY QUESTION, as I see it, is whether the amount/type of PHI used or disclosed exceeded the minimum necessary for the purposes of the use/disclosure (i.e., getting payment). Minimum necessary doesn't apply to uses/disclosures for treatment, but does apply to all other uses/disclosures, including those for payment. Theoretically, using PHI from a previous, paid-up and unrelated treatment incident might be outside the "minimum necessary" limits, but even then, in some of those cases, you can see how it might still be OK. There aren't bright-line borders on what PHI is and isn't within the minimum necessary. But none of the news stories have any information clearly indicating that more PHI was used than needed.
Jeff [11:07 AM]
Blogger: HIPAA Blog - Edit your Template