HIPAA Violations Not Always Due to Data Breaches

Friday, October 01, 2010

Jack Anderson


On an early album George Carlin (RIP) talked about being raised Irish Catholic.  Remarking on mortal sins he observed that if you woke up in the morning and decided to go across town and commit a mortal sin, you could save your bus fare because you already committed a mortal sin just by thinking about committing a mortal sin.

Similarly you don't have to have a patient data breach to be in violation of HIPAA rules and regulations.  By doing nothing, not even thinking, you probably have already committed a violation. 

For example, if you have a business associate (BA) agreement in place you are required to be compliant with the terms of that agreement, now .  If you don't have a breach notification program in place you are in violation, now. 

If you don't have a privacy program in place you are in violation, now.

But, you say, I am a small company and how would they know?  Let me count the ways: 

  1. Your covered entity detects a pattern of non-compliance, like you sending unsecured PHI and is required to either help you fix the problem,  or sever your contract, and report you to HHS.
  2. A whistleblower, (employee, ex-employee, patient, ex-patient, wife, ex-wife, etc) reports you in hopes of collecting the reward offered by HHS.
  3. An unannounced audit by OCR, the enforcement arm of HHS.  They are required by Congress to audit and have hired an outside firm to begin auditing in Q4 2010.
  4. A state attorney general files suite in federal court as allowed by The HITECH Act.
  5. A patient data breach which must be reported.

The good news is that just starting on a compliance program earns you a lot of points.  Also new cloud computing solutions are cost effective and efficient for even the smallest companies.  A small company can get started for only $125 and can stay compliant and prove it for only $35 per month.  This is less than your latte budget.

Cross-posted from Compliance Helper

Possibly Related Articles:
Healthcare Provider
Post Rating I Like this!
Katie Weaver-Johnson Great post! With new HITECH requirements in effect, it is critical for organizations to implement comprehensive privacy programs and ensure all employees (and third-parties) understand their individual roles and responsibilities.

Small organizations only have to look at the growing list of data breaches posted by HHS to see that violations, fines, audits, etc. are occurring and they could be next.

Robb Reck Thanks for the interesting post and George Carlin reference.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.