So if you haven't heard already, the DOJ has issued an opinion that clarifies and further muddies (ain't that the way it goes?) the confusion of who is criminally liable in HIPAA violation cases. As the famous Gibson case has been held up in the past as a guideline for the rest of us in dealing with employees and their actions, this is pretty revolutionary stuff, but at the same time makes a sort of sense: Covered entities are covered entities, not their employees or associates.
Will this make it less easy for you to coerce your employees into compliance?
Well, yes and no.
As Jeff points out over at the always readable HIPAA Blog, the responsibility always was on the covered entity to ensure compliance. That hasn't changed; what has changed is the size of the cudgel you wield. Before you could have said that if they weren't good little boys and girls and didn't eat their broccoli that the big bad HIPAA cops would come and get them. But in truth, the big bad HIPAA cops were probably never going to get them anyway. It was always up to you. Your rules, your policies, your responsibility to enforce.
On the front line, this is probably less of a big deal than it seems, especially here in Washington State, where our state laws on privacy are rough enough that even the HIPAA enforcers back slowly away, careful to avoid eye contact. But boy howdy has it got the dander up on the blogosphere! For a rundown on this donnybrook check out this and this. Read through the links--- it reminds me a little of some of the flame wars on the political sites I frequent.
Bruce Schneier, the security guru, thinks the law has been gutted, Jeff at HIPAA Blog disagrees. Both have good reasons to think what they do. Schneier comes from an IT background, as do I, and one of the results of that is the certain knowledge that there is no real privacy, only ways to make it inconvenient for the black hats to get at your stuff. HIPAA is one of those inconveniences, and anything that looks to make it less effective as a deterrent is going to bug him. Jeff is a lawyer, and his take on things carries some weight based on his experience with how the law actually shakes out in the courts.
The only one of my regular sources to not yet weigh in on this is Bob Coffield at Healthcare Blog Law. You can join me in checking back with him here.
At any rate, this is more fun than a possum in a lint bag.