When AGs Call, Know When to Fight, When to Fold

By Theresa Defino

Transparency and contrition are two qualities that HIPAA officials at covered entities (CEs) and business associates (BAs) might want to think about expressing should they ever get a call from a state attorney general (AG) investigating a breach.

That’s according to Jonathan Skrmetti, Tennessee’s chief deputy AG, who spoke recently at the 2020 Healthcare Enforcement Compliance Conference, sponsored by the Health Care Compliance Association, which publishes RPP.[1]

Skrmetti addressed the growing interest that state AGs have in pursuing multistate settlements and the structure that supports these enforcement actions (see related story, p. 1).[2]

Of particular interest to compliance officials may be Skrmetti’s insights into what AGs are looking for from CEs and BAs during the investigative and settlement process, what might win them points and what they shouldn’t do.

‘Fix What You Can’

By the time states start looking into a breach, the CE or BA should already have taken a number of actions, said Skrmetti.

“You want your case to be as uninteresting as possible” to authorities, he said. “You want to remediate upfront as much as you can. Obviously, you have to preserve some evidence, for forensic review. We’re not saying the day you discover the breach you should be flying into a frenzy to get ahead of yourself and fix everything. But you need to be proactive about it, from our perspective, to make the case less interesting. Fix what you can, as soon as you can. Don’t wait for the government to tell you what you need to do on that front.”

He advised that for CEs and BAs that “want to move past the case quickly and get back onto the post-litigation world, transparency and contrition are your best route.”

To begin, start talking early. “You really want to raise your arguments in the context of talking with the multistate negotiators at the outset of a settlement conversation,” he said.

Skrmetti added that “litigating the merits with the states is a particularly rough path to go down because there are a lot of states, and so you’re not just talking about a couple suits,” but there may be “20, 30, 40 suits in state courts,” and individuals from each state will need to be involved.

This document is only available to subscribers. Please log in or purchase access.
Purchase Login
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook X LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings