
Ask HN: Is anything in HIPAA actually required? - throwawayhipaa
I work with a software development shop that targets healthcare companies. I&#x27;ve read through various HIPAA guidelines and recommendations and it seems like a monumental amount of work to be compliant - but the company head interprets HIPAA as just recommendations and that it&#x27;s all subject to interpretation, so he&#x27;s &quot;not too intimidated by it&quot;.<p>Am I over-reacting in expecting religious-like adherence to whats outlined in HIPAA - or is it really more just a set of recommended guidelines?
======
twunde
It's somewhere in-between. There's no required HIPAA certification process,
all you need to do is sign a BAA and you're a covered entity (and HIPAA
applies to you). HIPAA really requires only a few things: if you have a breach
of PHI you have to announce it quickly and announce it in a local newspaper,
you shouldn't be sharing PHI with partners that won't sign a BAA and you
should all be recieving HIPAA training. This is enforced with fines and by the
terms in your BAA. Your company may be out of scope though. If your company
never receives PHI, then HIPAA doesn't apply to you. If you do receive PHI,
then the danger of losing it, either accidentally our through a hack is much
larger

------
joshklein
I've worked as a technology vendor for pharma and health device companies.
Your boss is dead wrong.

You should treat HIPAA as both a legal AND ethical imperative. Shame on anyone
who doesn't.

~~~
beejhuff
+1 on raising the ethical point. I get SO mad when I discover regular old
ecommerce businesses treating their customers so poorly that they want to HIDE
as much as possible about even minor security breaches...it's just flat out
morally repugnant to betray the customer's trust like that, and there's no
inalienable right to run a business at all...

And that's really just relating to the risk of damaging someone's credit &
hassles of dealing with Identity Theft if payment info is compromised....But
when you start talking about PHI and stuff like mental health issues or info
about poorly understood medical conditions is being disclosed that could
potentially ruin a person's entire career or destroy families / social
interactions for the rest of their lives, it just goes so far beyond the pale
of moral repugnance that I don't even have the words to describe it...

Since the OP got flagged, I can't comment any more on the thread and it's
probably a moot point anyways, but I thought I'd at least add a few more links
for anyone interested in seeing what DHS HAS been able to do re:
enforcement...

\- [https://www.hcca-
info.org/Portals/0/PDFs/Resources/Conferenc...](https://www.hcca-
info.org/Portals/0/PDFs/Resources/Conference_Handouts/Healthcare_Enforcement/2015/503_SurvivingHIPAABreachInvestigation_2slides.pdf)

\- [https://www.propublica.org/article/small-scale-violations-
of...](https://www.propublica.org/article/small-scale-violations-of-medical-
privacy-often-cause-the-most-harm)

------
DoreenMichele
What little I know:

It can be enforced with significant fines. When I worked at Aflac, they took
this fact quite seriously as a real threat that they didn't want to happen to
them.

The following blog suggests the fines can be up to $1.5 million and violations
can also involve criminal charges and jail time:

[https://www.truevault.com/blog/what-is-the-penalty-for-a-
hip...](https://www.truevault.com/blog/what-is-the-penalty-for-a-hipaa-
violation.html)

------
thisone
how does your boss respond to the question 'are you HIPAA compliant?' when
he's selling your software?

------
JSeymourATL
CYA Relevant: Texas hospital penalized $3.2M for HIPAA violations >
[https://www.scmagazine.com/texas-hospital-
penalized-32m-for-...](https://www.scmagazine.com/texas-hospital-
penalized-32m-for-hipaa-violations/article/635989/)

------
didgeoridoo
It’s a legal question more than a technical one. Let’s say you have a breach
where PHI is exposed. If you can demonstrate you were adhering tightly to the
guidelines, you’re less likely to receive jail time and a company-ending fine.

Sounds like your boss wants to roll the dice.

------
allhailkatt
No, be adherent. You do not want to deal with the audit process, it is hell.

Also, remember that while HIPAA has a lot of the broad details, the HI-TECH
act has a lot of the technical specs.

------
beejhuff
Let's just say that it exists in a Quantum state of simultaneously being both
of those things...a Schrödinger's Regulation, if you will...

I've been on all sides of the HIPAA space since it was enacted.

I've worked for firms who either offered health insurance to their employees
or accepted insurance payments for products they sold. My mother is a
Therapist with a sole practitioner private practice and I've been working with
her to get her compliance house in order as she prepares to retire and sell
her practice. I've also worked as a consultant with Software, Insurance, Tech
Hardware, and other firms across the spectrum of covered entities and business
associates and what I can tell you definitively is that:

You're Boss is pretty much correct....RIGHT up until the point when you have a
security incident and get compromised in some manner and disclose PHI.

Of course, the bizarre thing is that if you're REALLY large (like Anthem
Insurance large) and disclose hundreds of thousands or dozens of millions you
will probably NOT be put out of business buy DHS, even though the law
indicates you should be fined up to $1 million per disclosed patient records
assuming it was a flagrant effort of non-compliance. The reason?

I guess it's Too Big To Fail - there's simply no alternate mechanism in the
current insurance marketplace to absorb that many insured without some
seriously destructive economic dislocation. Smaller firms, and let's face it -
nearly everyone else is smaller, don't get off as easy. DHS has begun
increasing enforcement actions, especially for firms who fail to follow
notification provisions after a breach.

The appear to be increasingly eager to make examples out of the smaller fish
in what one assumes is an attempt to goad the bigger fish into more
disciplined action.

And even if you avoid the criminal provisions (yes, some have and more will
continue to be sentenced to actual jail time for their involvement in failing
to adequately protect PHI), it appears that the market is beginning to correct
the imbalances of economic power as more and more class action law suits are
being filed against the firms who survive the DHS HIPAA post-mortem -
[http://www.beneschlaw.com/Lessons-Learned-from-the-Anthem-
Cy...](http://www.beneschlaw.com/Lessons-Learned-from-the-Anthem-Cyber-Attack-
and-Corresponding-HIPAA-Actions-03-13-2015/)

It seems that all those disclosure requirements that are the first things
required after a breach (especially if you want to avoid more stringent
penalties after your post-breach audit) are producing mountains of evidence
that class action trial attorneys just adore digging into...

I've personally gone back and forth in different roles / situations on how
much I let the higher-ups paranoia or lackadaisical approach to HIPAA affect
me. In the end, if I'm worried they're not taking it seriously enough, I
provide a written document for them to sign outlining any concerns I have and
documenting when I raised them. I ask that they sign it and further, agree to
explicitly acknowledge in the document that they will take the risk of any
potential jail sentences, fines that come from activities that wind up
piercing the corporate veil of liability protection, and specifically relieve
me of any and all liability for any economic impact that may come to damage
the company later should my concerns prove well founded and the worst case
scenario happens.

They'll either get scared straight and doing the right thing or they'll laugh
it off and at least then if I want to stick around I can do so knowing that
I've done everything that I could for the time being to inform the
stakeholders at the firm and protect myself. But really if it gets THAT bad,
I'm probably not going to feel comfortable trusting my economic well being to
people who would make such horrible decisions...

