| Let's just say that it exists in a Quantum state of simultaneously being both of those things...a Schrödinger's Regulation, if you will... I've been on all sides of the HIPAA space since it was enacted. I've worked for firms who either offered health insurance to their employees or accepted insurance payments for products they sold. My mother is a Therapist with a sole practitioner private practice and I've been working with her to get her compliance house in order as she prepares to retire and sell her practice. I've also worked as a consultant with Software, Insurance, Tech Hardware, and other firms across the spectrum of covered entities and business associates and what I can tell you definitively is that: You're Boss is pretty much correct....RIGHT up until the point when you have a security incident and get compromised in some manner and disclose PHI. Of course, the bizarre thing is that if you're REALLY large (like Anthem Insurance large) and disclose hundreds of thousands or dozens of millions you will probably NOT be put out of business buy DHS, even though the law indicates you should be fined up to $1 million per disclosed patient records assuming it was a flagrant effort of non-compliance. The reason? I guess it's Too Big To Fail - there's simply no alternate mechanism in the current insurance marketplace to absorb that many insured without some seriously destructive economic dislocation. Smaller firms, and let's face it - nearly everyone else is smaller, don't get off as easy. DHS has begun increasing enforcement actions, especially for firms who fail to follow notification provisions after a breach. The appear to be increasingly eager to make examples out of the smaller fish in what one assumes is an attempt to goad the bigger fish into more disciplined action. And even if you avoid the criminal provisions (yes, some have and more will continue to be sentenced to actual jail time for their involvement in failing to adequately protect PHI), it appears that the market is beginning to correct the imbalances of economic power as more and more class action law suits are being filed against the firms who survive the DHS HIPAA post-mortem - http://www.beneschlaw.com/Lessons-Learned-from-the-Anthem-Cy... It seems that all those disclosure requirements that are the first things required after a breach (especially if you want to avoid more stringent penalties after your post-breach audit) are producing mountains of evidence that class action trial attorneys just adore digging into... I've personally gone back and forth in different roles / situations on how much I let the higher-ups paranoia or lackadaisical approach to HIPAA affect me. In the end, if I'm worried they're not taking it seriously enough, I provide a written document for them to sign outlining any concerns I have and documenting when I raised them. I ask that they sign it and further, agree to explicitly acknowledge in the document that they will take the risk of any potential jail sentences, fines that come from activities that wind up piercing the corporate veil of liability protection, and specifically relieve me of any and all liability for any economic impact that may come to damage the company later should my concerns prove well founded and the worst case scenario happens. They'll either get scared straight and doing the right thing or they'll laugh it off and at least then if I want to stick around I can do so knowing that I've done everything that I could for the time being to inform the stakeholders at the firm and protect myself. But really if it gets THAT bad, I'm probably not going to feel comfortable trusting my economic well being to people who would make such horrible decisions... |