In early 2012, Minnesota Attorney General
Lori Swanson sued Accretive Health, Inc., a debt collection firm. Swanson contended that Accretive's efforts to increase Fairview hospital system's collections compromised the quality of care. Accretive set up incentive systems which institutionalized a culture of collections among Fairview staff and led to aggressive debt collection techniques. The following are illustrative of these techniques:
Much of the legal leverage against Accretive came in the form of demonstrated violations of state and federal patient privacy laws. Specifically, Accretive had accessed patient records in order to aid in collection efforts and had compromised patient data when two Accretive staff laptops containing records relating to thousands of patients were stolen.
While these invasions of patient privacy are offensive in their own right, I'd wager that privacy violations aren't what raised the Attorney General's ire. Instead, it was anecdotes like the two listed above that seem to have motivated the enthusiastic government response. And what's horrifying about those incidents isn't the inappropriate sharing of medical information, it's the brazen financial manipulation of people when they are in a vulnerable position because their health, or the health of family member, is in jeopardy.
This suggests an advantage of privacy regulation. We tend to regulate the collection, use and disclosure of information in contexts in which individuals are likely to encounter harms beyond the breach of privacy (e.g., employment discrimination stemming out of a disclosure of medical information or identity theft in the financial context). Because unpredictable harms frequently result or accompany a breach of privacy in such sensitive contexts, it makes sense, from an enforcement perspective, to attach penalties to breaches of private information. In this way, states give themselves an enforcement "hook" to regulate all sorts of consumer protection issues.
Is getting this kind of leverage an appropriate use of privacy regulation? How should prosecutorial discretion play into the picture--should the AG only use privacy leverage when there has been a resulting harm or does a bare violation justify intervention? That is, would it have been reasonable for the Attorney General to get involved had Accretive merely lost laptops containing patient information?
Accretive eventually settled with the state, agreeing to pay $2.5 million to the state and cease its operations in the state for a period of years.
- "A mother who was taken from the side of her teenage daughter who tried to overdose on a bottle of pills, made to give a credit card in the middle of the night and pay $500 before she could return to her daughter’s bedside . . . .
- "A pregnant mother who was asked to pay money in the emergency room in the midst of miscarrying her first baby."
Much of the legal leverage against Accretive came in the form of demonstrated violations of state and federal patient privacy laws. Specifically, Accretive had accessed patient records in order to aid in collection efforts and had compromised patient data when two Accretive staff laptops containing records relating to thousands of patients were stolen.
While these invasions of patient privacy are offensive in their own right, I'd wager that privacy violations aren't what raised the Attorney General's ire. Instead, it was anecdotes like the two listed above that seem to have motivated the enthusiastic government response. And what's horrifying about those incidents isn't the inappropriate sharing of medical information, it's the brazen financial manipulation of people when they are in a vulnerable position because their health, or the health of family member, is in jeopardy.
This suggests an advantage of privacy regulation. We tend to regulate the collection, use and disclosure of information in contexts in which individuals are likely to encounter harms beyond the breach of privacy (e.g., employment discrimination stemming out of a disclosure of medical information or identity theft in the financial context). Because unpredictable harms frequently result or accompany a breach of privacy in such sensitive contexts, it makes sense, from an enforcement perspective, to attach penalties to breaches of private information. In this way, states give themselves an enforcement "hook" to regulate all sorts of consumer protection issues.
Is getting this kind of leverage an appropriate use of privacy regulation? How should prosecutorial discretion play into the picture--should the AG only use privacy leverage when there has been a resulting harm or does a bare violation justify intervention? That is, would it have been reasonable for the Attorney General to get involved had Accretive merely lost laptops containing patient information?
Pari, the issue of an AG's involvement with privacy as a matter of consumer protection is definitely a huge topic right now. The California AG is making it a large part of her role and last year, created California's Privacy Enforcement and Protection Unit (http://oag.ca.gov/privacy). Maryland is reportedly doing the same. California has taken it so far that when you visit any page online now, you will start to see a section that says "Your California Privacy Rights." I attended a conference this weekend at which many lawyers were concerned about this potential "over-reaching" exactly for the perspective you suggest--there really hasn't been harm shown in this area and so a separate section on privacy for Californians seems to go too far. I agree that, in the Accretive case, the harm was really the pressure for payment put on patients, and perhaps in the privacy context, we should require a greater showing of harm than there mere "creep out" factor.
ReplyDeleteOne of the difficulties of bringing the law in to provide privacy protection is defining what exactly should be considered "harm." I agree that AG Swanson's suit probably pushes the boundaries. But it should be notable that Accretive not only settled the case but also agreed to leave the state for awhile. Accretive did not want to put this question before a jury or attract negative publicity. I think this suggests that, with the increase in use of technologies/companies that we must simply trust to keep our information private, there is a corresponding negative reaction when that information is misused - because everyone can imagine it happening to them. Whether this is something the courts should tackle, rather than a legislature, is a problematic though.
ReplyDelete