Big HIPAA Fine for Solo Doctor Practice
HHS OCR Cites Major Security Shortcomings
… Susan Lucci, a senior privacy and security consultant at tw-Security says the case also provides critical lessons about business associate relationships.
“You cannot forget to vet and communicate with your business associates,” she says.
“Ongoing communication can set expectations and provide assurances that they are aligned with your level of compliance. This is an ongoing process, not a once and done. As attacks evolve, so too, should your defense strategy.”
Lucci questions the size of the financial penalty in the case.
“Over a year ago, OCR announced they would reduce the penalty amounts levied,” Lucci notes (see HHS Lowers Some HIPAA Fines).
“It’s counter-productive to get healthcare on board with compliance when they levy high penalties. The corrective action plan always follows the penalty and there is an expense tied to that. All in healthcare have a budget, and if the OCR assesses overly burdensome penalties then what will suffer – patient care, services, staffing? Certainly organizations who have not made strong efforts to comply with data protection should have consequences, but a more balanced approach of achieving the goal is what is needed.”