HIPAA Compliance and Willful Neglect

Sunday, July 18, 2010

Jack Anderson


We did a webinar with Amy Leopard awhile back and I very much enjoyed her insight. 

She recently was a co-presenter with David Mayer, the OCR's acting senior adviser for the health information privacy, compliance and enforcement group, the complete text of which may be found at the following place.


Once again there was a prediction that the "final regulations" pertaining to business associates could be published "as early as July".  I won't comment again on these predictions but sooner or later someone has to get the right date.

The significant quote for me was from Amy, stating "Willful neglect generally can be described as knowing HIPAA rules but not properly training employees -- and now, business associates -- in them."  

When we last talked Amy was focused on the business associate agreement, which is an important first step for the covered entity, but making sure that the business associate is compliant is the next step.

The covered entity has a responsibility to get "suitable assurance" that their business associates are compliant and may request a risk assessment from them if "reasonable and appropriate". 

It is within the power of covered entities to have a great influence on protecting the PHI that they entrust to their BA.  They need to start using that power.

Cross-posted from ComplianceHelper

Possibly Related Articles:
Post Rating I Like this!
Mister Reiner It never ceases to amaze how incredibly uninformed the medical community is about information security. I believe the root cause of the problem is that information technology in medical and insurance environments isn't being certified as HIPAA complaint by the government. The government needs to change from being reactive to proactive. Relying on the honor system for HIPAA compliance is totally unacceptable.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.