The HIPAA enforcement rule is published.
Rick Brady mentioned that “HIPAA has no teeth.” I agree in principle. Martin Jensen mentioned that he used to agree with it not having teeth until he had a conversation with one of the regulators.
I think there are really a few important points. The penalties really are rather small and incosequential compared to the costs of compliancy. Every good business has to weigh those two factors. However, the more difficult concept to calculate is the shame of a HIPAA violation. I can tell you now that this is something for which people are very interested. The most often google search I get is for HIPAA Lawsuits. People are scared of this possibility and want to know who is going to take the fall at HIPAA’s hands. I really feel like I’m stuck between a rock and a hard place. HIPAA compliancy and budgeting.
My only relief is in the following excerpt:
[A] civil money penalty may not be imposed if it is established to the satisfaction of the Secretary that the person liable for the penalty did not know, and by exercising reasonable diligence would not have known, that such person violated the provision,…if the failure to comply was due to reasonable cause and not to willful neglect and is corrected within a certain time, [and] a civil money penalty may be reduced or entirely waived to the extent that the payment of such penalty would be excessive relative to the compliance failure involved.