Last week I had a very interesting conversation with a prominent HIPAA lawyer. He works for a large consulting company which starts with K and ends with G, but I’ll leave it at that. He combines the best of both worlds, consultant and lawyer – Opinions, Opinions, Opinions!
The conversation started on privacy incident risk assessment tools but quickly got into regulatory enforcement. I made the claim, which isn’t original, that organization that take action, have consistent processes in place, but may make judgment calls that HHS/OCR doesn’t agree with, are much less likely to be fined than those organizations that put their heads in the sand. This is not to say if you get audited that OCR will not slap your hand, or send you corrective action, but the likelihood of them throwing the whole book at you is much lower. The Omnibus HIPAA Final Rule made it very clear that they prefer a proactive, preventative approach.
Arguing HIPAA privacy and security enforcement with a lawyer is a losing battle. Even if you’re right, he/she will tell you how wrong you are and that is what this gentleman did. But in a round about way he ended up agreeing with me. It is better to do something, than nothing at all – and in doing so you greatly lower the risk of an OCR fine. Then this came out…
“OCR to Focus Audits on Entities with Long-Standing Patterns of Non-Compliance. According to BNA (subscription required), OCR will look for organizations with long histories of noncompliance, across all areas of the healthcare industry. Entities that can demonstrate efforts to create and nurture a “culture of compliance” will come out of audits looking good. Entities that violate HIPAA in ways that raise a high risk of data breaches (such as with mobile devices) will bear the brunt of OCR’s enforcement activities, which will definitely be stepped up after publication of the Omnibus Rule. And if you don’t have policies and procedures in place, you will pay penalties.”
Our conversation was cut short, he was the keynote speaker and it was his time.