Transparency and contrition are two qualities that HIPAA officials at covered entities (CEs) and business associates (BAs) might want to think about expressing should they ever get a call from a state attorney general (AG) investigating a breach.
That’s according to Jonathan Skrmetti, Tennessee’s chief deputy AG, who spoke recently at the 2020 Healthcare Enforcement Compliance Conference, sponsored by the Health Care Compliance Association, which publishes
RPP.
[1]
Skrmetti addressed the growing interest that state AGs have in pursuing multistate settlements and the structure that supports these enforcement actions (see related story, p. 1).
[2]
Of particular interest to compliance officials may be Skrmetti’s insights into what AGs are looking for from CEs and BAs during the investigative and settlement process, what might win them points and what they shouldn’t do.
In late September, Anthem Inc. entered into a $39.5 million settlement for a 2014 data breach that affected nearly 79 million individuals.
[1] About a week later, CHS/Community Health Systems Inc. agreed to pay $5 million for a breach that same year; 6.1 million records had been hacked.
[2]
Premera Blue Cross, in July of last year, agreed to pay $10 million for its 2015 breach that exposed the protected health information (PHI) of more than 10.4 million people.
[3] More than half of that amount $5.4 million went to Washington State alone, as its state Attorney General (AG) Bob Ferguson had spearheaded the investigation.
Because these payments all came amid costly settlements announced by the HHS Office for Civil Rights (with the same organizations), HIPAA privacy and security officials might have missed the fact that all four settlements were not with OCR but were negotiated by state AGs working together.
The Blue Cross Blue Shield insurance group has negotiated a possible settlement to sweeping antitrust lawsuits that alleged the group benefited from anticompetitive measures that included carving up markets between the group’s many partners and companies. The $2.7 billion settlement
[1] still requires approval from 36 member companies before being signed off by a judge.
The settlement adjusts some of the rules governing how the insurance group does its business to prevent regional fiefdoms and anticompetitive alliances from forming while lifting requirements that Blue Cross Blue Shield’s revenue come primarily from its member companies and subsidiaries. The proposed settlement ends more than seven years of litigation brought on behalf of more than 1 million covered Americans.
On September 23, the United States Securities and Exchange Commission (SEC) published its final rule
[1] on several questions regarding the agency’s whistleblower program. Among the rulings were a rejection of a change that would have limited payouts on very large fraud cases, the removal of all internal whistleblower protections offered by the SEC, and a restriction of “related action” cases in which whistleblowers could receive rewards from more than one agency.
The final rule has been expected for at least two years, during which the SEC debated and heard comments on all of the proposed rule changes. Lawyers with the firm Kohn, Kohn & Colapinto have been following the case and put together primers
To embed, copy and paste the code into your website or blog:
There has been much discussion over the years about the relationship between enterprise risk management (ERM) and compliance risk management. Making the discussions more complex has been a tendency to approach risk management from very different perspectives. Risk managers have long looked to the COSO ERM Framework, while compliance teams have turned to the Federal Sentencing Guidelines and other documents. Adding to the complexity are language issues. “Risk appetite” is a common term for risk managers and one that is See more +
There has been much discussion over the years about the relationship between enterprise risk management (ERM) and compliance risk management. Making the discussions more complex has been a tendency to approach risk management from very different perspectives. Risk managers have long looked to the COSO ERM Framework, while compliance teams have turned to the Federal Sentencing Guidelines and