Ask HN: Is anything in HIPAA actually required?

18 points by throwawayhipaa ↗ HN
I work with a software development shop that targets healthcare companies. I've read through various HIPAA guidelines and recommendations and it seems like a monumental amount of work to be compliant - but the company head interprets HIPAA as just recommendations and that it's all subject to interpretation, so he's "not too intimidated by it".

Am I over-reacting in expecting religious-like adherence to whats outlined in HIPAA - or is it really more just a set of recommended guidelines?

9 comments

[ 4.5 ms ] story [ 33.5 ms ] thread
I've worked as a technology vendor for pharma and health device companies. Your boss is dead wrong.

You should treat HIPAA as both a legal AND ethical imperative. Shame on anyone who doesn't.

+1 on raising the ethical point. I get SO mad when I discover regular old ecommerce businesses treating their customers so poorly that they want to HIDE as much as possible about even minor security breaches...it's just flat out morally repugnant to betray the customer's trust like that, and there's no inalienable right to run a business at all...

And that's really just relating to the risk of damaging someone's credit & hassles of dealing with Identity Theft if payment info is compromised....But when you start talking about PHI and stuff like mental health issues or info about poorly understood medical conditions is being disclosed that could potentially ruin a person's entire career or destroy families / social interactions for the rest of their lives, it just goes so far beyond the pale of moral repugnance that I don't even have the words to describe it...

Since the OP got flagged, I can't comment any more on the thread and it's probably a moot point anyways, but I thought I'd at least add a few more links for anyone interested in seeing what DHS HAS been able to do re: enforcement...

- https://www.hcca-info.org/Portals/0/PDFs/Resources/Conferenc...

- https://www.propublica.org/article/small-scale-violations-of...

It's somewhere in-between. There's no required HIPAA certification process, all you need to do is sign a BAA and you're a covered entity (and HIPAA applies to you). HIPAA really requires only a few things: if you have a breach of PHI you have to announce it quickly and announce it in a local newspaper, you shouldn't be sharing PHI with partners that won't sign a BAA and you should all be recieving HIPAA training. This is enforced with fines and by the terms in your BAA. Your company may be out of scope though. If your company never receives PHI, then HIPAA doesn't apply to you. If you do receive PHI, then the danger of losing it, either accidentally our through a hack is much larger
Let's just say that it exists in a Quantum state of simultaneously being both of those things...a Schrödinger's Regulation, if you will...

I've been on all sides of the HIPAA space since it was enacted.

I've worked for firms who either offered health insurance to their employees or accepted insurance payments for products they sold. My mother is a Therapist with a sole practitioner private practice and I've been working with her to get her compliance house in order as she prepares to retire and sell her practice. I've also worked as a consultant with Software, Insurance, Tech Hardware, and other firms across the spectrum of covered entities and business associates and what I can tell you definitively is that:

You're Boss is pretty much correct....RIGHT up until the point when you have a security incident and get compromised in some manner and disclose PHI.

Of course, the bizarre thing is that if you're REALLY large (like Anthem Insurance large) and disclose hundreds of thousands or dozens of millions you will probably NOT be put out of business buy DHS, even though the law indicates you should be fined up to $1 million per disclosed patient records assuming it was a flagrant effort of non-compliance. The reason?

I guess it's Too Big To Fail - there's simply no alternate mechanism in the current insurance marketplace to absorb that many insured without some seriously destructive economic dislocation. Smaller firms, and let's face it - nearly everyone else is smaller, don't get off as easy. DHS has begun increasing enforcement actions, especially for firms who fail to follow notification provisions after a breach.

The appear to be increasingly eager to make examples out of the smaller fish in what one assumes is an attempt to goad the bigger fish into more disciplined action.

And even if you avoid the criminal provisions (yes, some have and more will continue to be sentenced to actual jail time for their involvement in failing to adequately protect PHI), it appears that the market is beginning to correct the imbalances of economic power as more and more class action law suits are being filed against the firms who survive the DHS HIPAA post-mortem - http://www.beneschlaw.com/Lessons-Learned-from-the-Anthem-Cy...

It seems that all those disclosure requirements that are the first things required after a breach (especially if you want to avoid more stringent penalties after your post-breach audit) are producing mountains of evidence that class action trial attorneys just adore digging into...

I've personally gone back and forth in different roles / situations on how much I let the higher-ups paranoia or lackadaisical approach to HIPAA affect me. In the end, if I'm worried they're not taking it seriously enough, I provide a written document for them to sign outlining any concerns I have and documenting when I raised them. I ask that they sign it and further, agree to explicitly acknowledge in the document that they will take the risk of any potential jail sentences, fines that come from activities that wind up piercing the corporate veil of liability protection, and specifically relieve me of any and all liability for any economic impact that may come to damage the company later should my concerns prove well founded and the worst case scenario happens.

They'll either get scared straight and doing the right thing or they'll laugh it off and at least then if I want to stick around I can do so knowing that I've done everything that I could for the time being to inform the stakeholders at the firm and protect myself. But really if it gets THAT bad, I'm probably not going to feel comfortable trusting my economic well being to people who would make such horrible decisions...

It’s a legal question more than a technical one. Let’s say you have a breach where PHI is exposed. If you can demonstrate you were adhering tightly to the guidelines, you’re less likely to receive jail time and a company-ending fine.

Sounds like your boss wants to roll the dice.

how does your boss respond to the question 'are you HIPAA compliant?' when he's selling your software?
No, be adherent. You do not want to deal with the audit process, it is hell.

Also, remember that while HIPAA has a lot of the broad details, the HI-TECH act has a lot of the technical specs.

What little I know:

It can be enforced with significant fines. When I worked at Aflac, they took this fact quite seriously as a real threat that they didn't want to happen to them.

The following blog suggests the fines can be up to $1.5 million and violations can also involve criminal charges and jail time:

https://www.truevault.com/blog/what-is-the-penalty-for-a-hip...