Million Dollar HIPAA Settlements Are About Compliance, Not Harm to Individuals
The National Law Review published an article that puts HIPAA policy in a light that some people may have not thought about. The term “no harm, no foul” is used when referring to breaches that have little to no expected damage. However, the Office of Civil Rights (OCR) doesn’t see it quite the same way. The OCR doesn’t make their judgments based on the harm done by breaches, instead the use the privacy and security policies the company is using to protect the beneficiary’s information. This article outlines mistakes made by Triple-S Management Corporation that led to a $3.5 million settlement.
Note – “These are not sophisticated system attacks carried out by unnamed international identity theft rings or by nation states. They are essentially mistakes in the handling of ePHI that can happen at any covered entity or business associate.”