There are many misconceptions about HIPAA throughout the healthcare industry. In particular, business associates (BA) who provide cloud services to covered entities (CE) often have the misconception that they do not need to be concerned with HIPAA if they are compliant with the Payment Card Industry Data Security Standard (PCI-DSS). BAs with this school of thought should be prepared to get their checkbooks out when the Office for Civil Rights (OCR) comes calling.
Even organizations with sound policies, procedures, training, and safeguards can experience a breach. When?not if?a breach occurs, traditional insurance may not be enough to cover the damages. Ensuring that your organization has adopted the appropriate cyber insurance can be valuable in the event of a breach.
The Office for Civil Rights (OCR) announced December 8, 2014 that it fined an Alaska behavioral health service $150,000 for potential HIPAA violations. OCR entered into a resolution agreement with Anchorage Community Mental Health Services (ACMHS), a nonprofit behavioral healthcare service, per the announcement (see www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/acmhs/amchs-capsettle...).
