Minnesota attorney general brings the first formal enforcement action against a business associate, Accretive Health, Inc., for an alleged violation under HIPAA using her authority under the HITECH Act.
We have previously written that 2012 will be the year of HITECH Act enforcement and the year that State AGs will awaken and become more aggressive in their enforcement actions. The link above is a harbinger of things to come. Most business associates (BAs) do not realize that their compliance with the HITECH Act is "good law" today.
Forget business associate audits,
breach notification is the 800 pound
gorilla of the HITECH Act, because of
the costs, fines, and lawsuits that a
breach is likely to trigger. What is the
probability that a breach will occur?
High would be an understatement!
HHS has added to the confusion by slow walking the Omnibus Rule and given a grace period (understatement) for BAs to comply. However, as indicated in the link above, there is nothing preventing a State AG or the US Department of Justice from bring an action today.
What is likely to trigger an action? Although currently there is a small probability of a BAs being audited, given the fact that HHS has announced that BAs would not be targets of the first round of audits conducted by KPMG through the end of 2012, there is a high probability that a data breach will occur. Breach Notification is the 800 pound gorilla of the HITECH Act, not only because of the costs and the fines, but because of the lawsuits a breach is likely to trigger.
Looking for best of breed HIPAA Training?
To stay current on the HITECH Act and its quickly changing regulatory scheme visit the HITECH Survival Guide website and/or sign up for our free monthly compliance newsletter. Also, check out our FREE EHR Checklist.