I'll let you read the original article rather than reprint the whole thing here. But please heed the lessons.
Doctors who think they are exempt from HIPAA are fooling themselves.
Medical data companies who think they are exempt from HIPAA are fooling themselves. And criminally liable.
Technology consultants who ignore HIPAA are fighting with fire. Signing Business Associate Agreements are just the start. You need a real plan for compliance, and you need to document both remediation and ongoing compliance.
In this incident Mike discusses here, a medical transcription company breached the medical records of over 1,650. Their customer, Virtua Health, paid a $ 418,000 settlement for violations of both HIPAA and the New Jersey Consumer Fraud Act.
. . . and Tushar Mathur, owner of the medical transcription company, was fined $200,000 for HIPAA violations and consumer fraud - and agreed to a permanent ban on managing or owning a business in New Jersey.
I'm sure that's not something they expected!
Remember that local, state, and federal agencies can all enforce HIPAA compliance. They're taking this seriously whether you are or not.
While Mike's article is focused on buyers of consulting, the lessons are important for you as well. In many ways, it amounts to the ultimate "best practice" list for technology consultants. Check it out.
- - - - -
Mike Semel is the President and Chief Security Officer of Semel Consulting, focused on HIPAA and other compliance requirements; cyber security; and Business Continuity planning. He is a Certified Business Continuity Professional through the Disaster Recovery Institute, a Certified HIPAA Professional, Certified Security Compliance Specialist, and Certified Health IT Specialist.
Mike is also a forum leader inside the Small Biz Thoughts Community.