|
|
|
|
|
|
by paulcole
2664 days ago
|
|
|
Here’s the thing with HIPAA consultants and training: it’s mostly bullshit but people pay for it because they’re afraid. Afraid of what? Who knows. Remember The Simpsons episode where Homer wants to pay Lisa for her magic rock because it keeps tigers away — “You don’t see any tigers here, so it must work, right?” — that’s HIPAA training and consulting in a nutshell. There’s no point offering HIPAA consulting/training for anything but exorbitant prices. Get people scared enough and they’ll pay it. Are you a giant research university or a hospital that’s also a household name? If not, you’ll never have a problem with HIPAA unless you royally fuck up or piss someone off who has the time and energy to follow through on a complaint. Even if you do invest in HIPAA compliance and pay through the nose to become 100% compliant, ask another HIPAA consultant and they’ll find a million more problems you need to fix. |
|
|
Your advice is kinda true, but your sentiment is dangerous. With all regulatory issues, you can get away with them up until you can't. However, the difference between cripple fines or jail or gross negligence is whether or not you made reasonable or better attempts to do the right thing. As a company, you never know when something terrible is going to happen and telling people not to worry about it is dangerous and irresponsible.
That being said, compliance programs are put together based on best practices and litigation. The more litigation occurs, the better we understand the legislation / guidance that is often poorly written / defined. That's why GDPR / CCPA consultants are just best guessing - but, it always helps to have a reputable, 3rd party attest to the validity of your methodology - it shows that you tried hard to do the right thing. 3rd party audits are even better.
Trying to do the right thing is a cost of doing business - if doesn't have to be prohibitively expensive and it's part of doing business, responsibly.