In the first of the new federal lawsuits for HIPAA violations authorized under the HITECH Act that have been filed against a business associate, the Minnesota Attorney General obtained a $2.5 million settlement. As if that dollar amount were not enough to get the attention of both covered entities and business associates, that settlement also resulted in Accretive Health, a debt collection business associate, agreeing to stop all business operations in Minnesota within 90 days. Accretive Health also agreed not to conduct any such operations for two years. Further, thereafter, for the next four years, Accretive Health must have the Attorney General’s permission to do business in Minnesota.

The lawsuit alleged that Accretive Health had conducted aggressive debt collection practices in emergency rooms in violation of state debt collection laws and that it had violated both state and federal privacy laws both by accessing too much patient information and by not properly safeguarding it, such as by losing a laptop that had contained the data of 23,000 patients of two health care facilities. According to the Attorney General’s press release, the $2.5 million that Accretive Health will pay to the State of Minnesota will be part of a restitution fund used to compensate patients, with any funds remaining remitted to the state treasury.