HIPAA Violations Not Always Due to Data Breaches

Friday, October 01, 2010

Jack Anderson

10e258c8d23d441b915c1b2333b6996a

On an early album George Carlin (RIP) talked about being raised Irish Catholic.  Remarking on mortal sins he observed that if you woke up in the morning and decided to go across town and commit a mortal sin, you could save your bus fare because you already committed a mortal sin just by thinking about committing a mortal sin.

Similarly you don't have to have a patient data breach to be in violation of HIPAA rules and regulations.  By doing nothing, not even thinking, you probably have already committed a violation. 

For example, if you have a business associate (BA) agreement in place you are required to be compliant with the terms of that agreement, now .  If you don't have a breach notification program in place you are in violation, now. 

If you don't have a privacy program in place you are in violation, now.

But, you say, I am a small company and how would they know?  Let me count the ways: 

  1. Your covered entity detects a pattern of non-compliance, like you sending unsecured PHI and is required to either help you fix the problem,  or sever your contract, and report you to HHS.
  2. A whistleblower, (employee, ex-employee, patient, ex-patient, wife, ex-wife, etc) reports you in hopes of collecting the reward offered by HHS.
  3. An unannounced audit by OCR, the enforcement arm of HHS.  They are required by Congress to audit and have hired an outside firm to begin auditing in Q4 2010.
  4. A state attorney general files suite in federal court as allowed by The HITECH Act.
  5. A patient data breach which must be reported.

The good news is that just starting on a compliance program earns you a lot of points.  Also new cloud computing solutions are cost effective and efficient for even the smallest companies.  A small company can get started for only $125 and can stay compliant and prove it for only $35 per month.  This is less than your latte budget.

Cross-posted from Compliance Helper

Possibly Related Articles:
13433
HIPAA
Healthcare Provider
breaches HIPAA HITECH
Post Rating I Like this!
Dd9902bc56a9d85cdc62c00083ea4871
Katie Weaver-Johnson Great post! With new HITECH requirements in effect, it is critical for organizations to implement comprehensive privacy programs and ensure all employees (and third-parties) understand their individual roles and responsibilities.

Small organizations only have to look at the growing list of data breaches posted by HHS to see that violations, fines, audits, etc. are occurring and they could be next.

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
1286227870
C787d4daae33f0e155e00c614f07b0ee
Robb Reck Thanks for the interesting post and George Carlin reference.
1286233316
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.