On 3/16/2015 8:18 AM, Kurt Ullman wrote:
In article ,
Unquestionably Confused wrote:



Civil Penalties:

1. Covered entity or individual did not know (and by exercising
reasonable diligence would not have known) the act was a HIPAA violation.

You serious? The individual (the secretary) may not have known, and
if so that might in and of itself might be a violation. There are
stringent regulations holding the entity responsible for developing
policies and procedures for handling the information and developing
training programs on those policies and procedures. The entity (the
practice) would have known unless they have been in a coma for the last
10 years or so. Violations (and heavy fines) have been levied for
similar situations that would have been made worse by the fact the file
with patient identifiers wasn't encrypted (that alone would get you
nailed if the computer fell into the "wrong" hands.



2. The HIPAA violation had a reasonable cause and was not due to willful
neglect.
Lack of encryption has been established as being at least prima
facie evidence of willful neglect as has lack of policies/procedures
governing disposal of computers containing personalized data,



It would seem that you are a master at taking things out of context and
shooting the messenger. Those are the governments penalties, not
mine... as well as their classification system.

My point was simply that there is no automatic $250,000 fine per
violation as stated in a prior post by Moe.

It will be interesting to see what fines, if any, are levied when the US
Government or one of their vaunted employees screw the pooch and
improperly disseminate HIPAA protected information.