There is a Seinfeld episode where Jerry is at a car rental counter. It seems the rental agency is out of cars, which upsets Jerry. He goes on a slight rage and say something like this:
You know how to take the reservation…you
just don’t know how to keep the reservation.
The federal government is great at writing rules/regulations/laws, but not so great at implementation or enforcement.
It seems as though a government entity would be one of the first implement new federal regulations. Other than seeming appropriate and leading by example, I can’t give any other solid reason why I feel this way.
If you look through the PHI breach data, government entities tend to be the largest offenders.
Not necessarily the most frequent offenders, but surely the largest.
Just like a small boat floating aimlessly at sea isn’t “news”, yet a cruise ship floating aimlessly at sea is huge news.
So, it was alleged that the office of Veteran Affairs was “transmitting sensitive data, including Personally Identifiable Information (PII)…over unencrypted telecommunications carrier networks.”
After the VA OIG researched the issue, they found this:
“VA was transmitting sensitive data, including PII and internal network routing information, over an unencrypted telecommunications carrier network”
“VA has not implemented technical configuration controls to ensure encryption of sensitive data despite VA and Federal information security requirements.”
The full, report is here, if you care to read that exciting document.
So, you are thinking, “well if the feds don’t have to follow their own rules, why should I?”
Though I “get it” and understand this argument, it won’t save your butt.
For most private practices, complying with HIPAA regulations is not difficult.
Yes, there are processes and procedures that must implemented.
Yes, it can be a pain.
Yes, it can cost you some money.
But – remember this: the VA can’t get fined for their violations…YOU CAN!
Here is a quick refresher of HIPAA fines:
Minimum fine: $100 per violation, up to $25,000 in a year (per person AND to the practice)
Maximum fine: $50,000 per violation, up to $1.5 million in a year (per person AND to the practice)
Quick, somebody try to argue against being HIPAA compliant.