“Not Me”. Premera Blue Cross will pay $6.84 million and Athens Orthopedics will pay $1.5 million-dollar. The key phrase we found on these and other cases was “systemic noncompliance with the HIPAA Rules”. The problem as we see it is that most of the people we talked with think that this will not happen to them, yet they have no idea of their level of exposure. At the very least, we recommend that they address all Standards of HIPAA Security and that they ensure that their Business Associates understand and follow the dictates of the Omnibus Rule.
The challenge as we see it is that most Organizations believe that they have a viable security program as required by HIPAA yet the reality is that most of the programs we look at are not even close. For example; does your Security Risk Analysis meet the requirements of the law?
Understand that not all Security Risk Analysis are the same and that the law specifies that you are required to conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI)
Looking at it from a different angle. Imagine that you are in court and that they ask you about any one of the standards under HIPAA. Can you provide a policy and evidence demonstrating that you have met this requirement? Considering that mandatory fines can reach up to fifty thousand dollars ($50,000.00) per incident; can you afford not to verify your compliance status?
The bottom line is that no one is safe and that at any point in time you may be the subject of the next “news release” from OCR.