As mentioned in a previous blog post, Senator Al Franken of Minnesota sent a letter to Accretive Health concerning the allegations in a report by the state’s Attorney General Lori Swanson.
Sen. Franken has reason to be concerned. Not only is Minnesota his home state, but he is the Chairman of the Senate Privacy, Technology, and the Law Subcommittee in the Senate Judiciary Committee. In November, he had held a Subcommittee hearing entitled “Your Health and Your Privacy: Protecting Health Information in a Digital World,” which focused on the privacy implications of electronic health records in hospitals. Sen. Franken is also the author of the End Debt Collector Abuse Act of 2010, a bill designed to protect consumers from abusive and fraudulent debt collection practices – concerns that were also raised in the AG’s report on Accretive.
I wonder how differently his hearing might have gone had all of this been disclosed last year.
Here is the full text of Sen. Franken’s letter to Accretive Health, below. The questions about data breaches start at Q-10, but the privacy aspects of how data were used are throughout the letter:
April 27, 2012
Ms. Mary Tolan, CEO
Accretive Health, Inc.
401 N. Michigan Ave., Suite 2700
Chicago, IL 60611
Dear Ms. Tolan:
I read with great concern Minnesota Attorney General Lori Swanson’s detailed report into the alleged activities of your company, Accretive Health, in its capacity as a contractor for Fairview Health Services in Minnesota. These alleged activities included demanding that patients pay for services before and during treatment, particularly targeting pregnant women admitted to labor and delivery departments. The report also alleged that Accretive provided a broad range of its employees, including debt collection agents, with full access to Fairview patients’ detailed medical records—including diagnoses and treatments—even if those employees had no apparent reason to access this sensitive, confidential, and legally-protected information. The report also detailed a series of previously unknown breaches of Fairview patients’ data as a result of several laptop thefts; it appears that much of this data may have been unencrypted.
If proved to be true, these activities may have violated federal health, consumer protection, and privacy laws. As Chairman of the Senate Judiciary Subcommittee on Privacy, Technology and the Law, and as a member of the Senate Committee on Health, Education, Labor and Pensions, I take these allegations very seriously.
I request that you provide answers to the following questions by Friday, May 4. For each question, if Accretive did not directly engage in the conduct described, please indicate whether Accretive employees instructed others to engage in the conduct.
1. Did Accretive employees request payment or attempt to collect past debts from Fairview patients before they received medical treatment?
a) If so, did they make these requests for emergency room patients?
b) Is Accretive aware of any information suggesting that these practices led to longer wait times for patients?
c) Is Accretive aware of any information suggesting that these practices led to any patients refusing treatment or leaving a hospital before receiving treatment?
2. Did Accretive employees in any way suggest to patients that they wouldnot receive treatment if they could not pay for it or if they could not pay a past debt?
a) The report states that Accretive employees were directed to “put together a ‘pre-balance stop list’ the night before patient appointments so that the patient can be stopped for payment before treatment is rendered.” See Swanson Report §5.3. Is this true?
b) Did Accretive employees create “stop lists” for patients who were scheduled for surgery?
c) Is Accretive aware of any information suggesting that these practices led to longer wait times for patients?
d) Is Accretive aware of any information suggesting that these practices led to any patients refusing treatment or leaving a hospital before receiving treatment?
3. The report states that Accretive instructed Fairview employees to predict the “likely” diagnosis and treatment in order to bill patients prior to treatment. See Swanson Report at §5.4. Is this true?
a) If so, how did Accretive instruct its employees or others to make these predictions?
b) If so, how did Accretive identify erroneous predictions?
c) If so, how does Accretive ensure timely refunds to patients who overpaid?
4. Did Accretive employees request or discuss payment or attempt to collect past debts from patients while they received medical treatment or were interned at the hospital?
a) If so, did they do so for emergency room patients?
b) If so, did they do so for patients in the neonatal intensive care unit (NICU)?
c) Were Accretive employees directed to “collect at bedside post patient assessment,” as the report alleges? See Swanson Report §5.4.
5. The report appended an email in which an Accretive employee wrote: “We need to get cracking on labor and delivery. There is a good chunk to be collected there […]” The report also cited a separate email in which an Accretive employee was instructed to prepare a daily report to “identify moms that admitted yesterday” to target collections toward those individuals. See Swanson Report §5.3. Does Accretive stand by these statements?
a) Is it or has it ever been Accretive policy to direct its employees to focus collections on patients in maternity units?
b) If so, has Accretive changed its practices in this regard?
6. What specific medical data did Accretive make available to its post-treatment debt collection agents?
7. The report states that Accretive debt collection agents were able to access information indicating that a specific Fairview patient suffered from “major depression, alcohol intoxication, migraines, attention deficit disorder and attempted suicide by cutting his wrist.” See Swanson Report at §4.7. Is this accurate?
a) If so, why does Accretive permit its debt collection agents to access this information?
b) The report alleges that “patient health information was used to collect debts.” Ibid at 4.7. Is this accurate, and if so, how exactly was patient health information used to collect debts?
c) Does Accretive change its collection practices on the basis of a patients’ diagnosis or treatment? Have Accretive employees done so in the past?
8. The report states that Accretive collection agents identify themselves as “financial counselors” as opposed to “debt collectors” when seeking payment for past debts from patients. See Swanson Report §5.7. Is this true?
a) Did Accretive require all patients to meet with a financial counselor before receiving treatment?
9. The report states that Accretive refused to provide documentation verifying a debt when requested by consumers. See Swanson Report §5.9. Is this true?
a) Did Accretive continue to seek payment of debts after verification was requested?
10. The report states that Accretive employees lost six laptops to theft in three separate incidents between February and June 2011. See Swanson Report at §4.6. Is this accurate?
a) How many Fairview patients had medical information that was contained in the lost laptops?
b) How many other individuals had medical information that was contained in the lost laptops?
11. The report provides a redacted screenshot of a patient’s medical data file that was contained on the laptop lost in the Seven Corners neighborhood of Minneapolis on July 25, 2011. That file contains the patient’s full name, address, date of birth and a checklist indicating that the patient suffers from bipolar disorder, diabetes, a lipid metabolism disorder, and hyperthyroidism. The file template also permits identification of a range of other conditions and diagnoses, including depression, schizophrenia, Parkinson’s disease, and HIV positive status. See Swanson Report at §1.7.
a) How many files like this one were contained in the lost laptops?
b) How many of these files were encrypted? How were they encrypted?
c) How many of the files were protected in another way (password protection, etc.)? How were they protected?
d) If any of the files were not encrypted, why were they not encrypted?
e) The report alleges that the user of the laptop was a “revenue cycle” employee. Ibid at §4.6. Is this accurate? If so, what is a “revenue cycle” employee, and why does such an employee require access to these customer records?
12. What other patient medical information was contained in the lost laptops?
a) Was that information encrypted or protected in any way?
b) Has Accretive changed its encryption practices since these thefts? If so, how? If not, why not?
13. Does Accretive believe that it has acted in compliance with the federal Emergency Medical Treatment and Active Labor Act?
14. Does Accretive believe that it has acted in compliance with the federal Fair Debt Collection Practices Act?
15. Does Accretive believe that it has acted in compliance with the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act?
16. Does Accretive believe that it has met its obligations under its February 18, 2010 business associate agreement with Fairview?
17. Does Accretive believe that it has treated Fairview patients fairly and ethically?
Thank you for your prompt attention to this matter. I look forward to reviewing your responses.
Chairman, Subcommittee on Privacy,
Technology, and the Law
Update: Attorney Jeff Drummond has a different perspective on the allegations and seems to think that this is much ado about relatively little.