Time to Get Serious About HIPAA? InformationWeek has a policy paper out (free registration required) advising businesses to get serious about HIPAA compliance. They note the Providence $100K settlement, followed by the CVS $2.25M settlement. It's hard to call 2 data points a trend, but add in the hiring of PriceWaterhouse Coopers by the Department of Health and Human Services, and it sure looks like storm clouds are gathering. The paper also gives a common-sense 10-step program for getting your ducks in a row.
Of course, some of us have been "serious about HIPAA" for some time. There is an interesting article included with the paper about one CEO's decision to ignore HIPAA until the feds started moving, and save the implementation money; this is the same advice one of my partners gave back in 2000: the penalties aren't that high, there's no private cause of action, so the probability of getting caught and punished was slim. The CEO (and Dan) turned out to be right. BUT, as the post below notes, it's more than just the HIPAA cost that you have to figure in. Outside of HIPAA, most healthcare providers have at least an ethical duty to protect PHI, and in many states a legal one; and if you're doing HIPAA well, you're much less likely to suffer one of these costly data breaches.