HIPAA Compliance is a Legal Standard of Care

HIPAA Compliance is a Legal Standard of Care

A lawsuit can be won against a company that does not maintain HIPAA compliance. In a recent case: “Reviewing a $1.44 million jury verdict, an Indiana appellate court affirmed that the plaintiff had raised a viable claim of negligence based on using HIPAA as the standard of care.”

The HIPAA regulations specifically preclude legal action based on non-compliance, reserving the right to punish for OCR. However in many recent class action lawsuit as well as the aforementioned case the courts have concluded that it is a universal standard for healthcare and failing to maintain a HIPAA compliant company exposes the company to legal action.

Let’s talk about the class action lawsuits. The law firms generally ask for $1,000 per patient record breached and settle for somewhere north of $100 per patient. Stanford Hospital and Clinics and their business associate, Multi-Specialty Collection Services LLC agreed to a $4.1 million dollar settlement of a class action lawsuit stemming from a HIPAA breach.

The old ounce of prevention versus a pound of care maxim applies here. Using a SaaS model a company can get HIPAA compliant, stay compliant and prove compliance for a few dollars per day. The reason I use the per-day model is that HIPAA compliance is an on-going process requiring documentation of compliance activities such as employee training. Putting a manual on the shelf is not HIPAA compliance.

Progress not perfection should be your goal. Measure your compliance with a HIPAA risk assessment meeting the NIST standards, identify areas needing improvement, and document your efforts.

For more information contact me directly at jack@compliancehelper.com