HIPAA Survival Guide Newsletter September, 2020

Stuck on Stupid Revisited

More than a decade after the HITECH Act was promulgated it remains somewhat surprising to us that most covered entities (CE) and business associates (BA) remain stuck on stupid concerning HIPAA compliance. Having taught thousands of stakeholders the Rules (HIPAA Privacy, Security, and Breach Notification) over the last decade through our webinars, newsletters, and products, we now believe we have some insights into why stuck on stupid remains “a thing.”

The principal reason that stuck on stupid persists systematically is that the CEO, CIO, CISO, Risk Manager (pick your title du jour) are unwittingly running into the clash of civilizations head-on. What do we mean by the clash of civilizations? It is the divide between those that were born digital, those that got there as soon as they could (a work in progress), and the C-Suite—those who may never get there. It is not that the C-Suite does not, at some abstract level, understand the power of technology; rather in this instance, it’s that they don’t understand the intersection between technology, compliance, and the law.

Understanding two of the three components is woefully inadequate. For many of the C-Suite, they may get a “warm fuzzy” because they have gone through the pain and expense of implementing SOC-2 or HITRUST. That’s nice. To be sure, we have some inherent bias as to the efficacy of these programs. But from a legal perspective, there is no bias. SOC-2 and HITRUST are not the law. Period. Full stop. They are industry standards that purportedly map to the law promulgated by organizations that have a vested interest in their approach. No matter how effectively they claim to perform said mapping it will do them little good when facing an HHS/OCR auditor, or worse yet, a plaintiff’s lawyer in a class-action lawsuit after a major breach.

There is already a precedent that HIPAA can be used as the standard of care in a state-based negligence suit. As most of you know, patients do not have a private right of action under HIPAA itself, but nothing prevents them from bringing negligence suits under state law; and many have already done so. If I am a plaintiff’s lawyer at trial, and the compliance officer (CO) is on the witness stand, I am not going to ask them about their SOC-2 or HITRUST compliance. These initiatives are meaningless in any kind of lawsuit because they are not the law.

No, I am going to ask the CO whether his/her organization complied with a specific section of HIPAA (e.g. §164.308(7) “Contingency Standard.”). I want to know how his/her organization complied with each implementation specification (i.e. “security control”) of the standard (i.e. (A) Data backup plan; (B) Disaster recovery plan; (C) Emergency mode operation plan; (D) Testing and revision procedures; and (E) Applications and data criticality analysis). If the CO responds that they have complied with SOC-2 or HITRUST blah, blah, blah, then I am going to ask the witness a rhetorical question: “You are aware that SOC-2 and HITRUST are not the law, correct?”

NO, the question I asked is do you have visible, demonstrable evidence (VDE) that you have complied with the implementation specification listed above? If the CO starts to stammer, with that deer in the headlights look, then it’s game over. The jury, and everyone else in the courtroom, will know that the CO does not have the foggiest idea whether he/she has complied with the law. Game over. Case closed. If HIPAA is that standard of care, then the CO just admitted that they breached the standard of care. It’s on to causation and damages.

If your CEO is also sitting in the courtroom, he/she is going to be wondering why the CO can’t answer a simple question after having spent well over six figures on a SOC-2 or HITRUST implementation. As the plaintiff’s lawyer, I am going to have a “field day” grilling you whether you have complied with the other 168 requirements of the Rules. Needless to say, the CO (and CEO) is not going to have a good day.

The clash of civilizations issue gets worse. How is that? Because, unless you have a major breach, the authorities under Trump (and Obama) are mostly looking the other way. Sure, you may get stiff civil monetary penalties if after a Breach the auditors discovered that you have basically “stuck your head in the sand” and thumbed your nose at the regulations. But OCR is not otherwise looking for you. There are no mandated audits taking place, even though the HITECH Act requires them.

It is no longer the regulatory authorities that are enforcing privacy and security, it is the CEs and the BAs that do not want their reputations damaged to the tune of tens of millions of dollars, by letting a business partner utilize their PHI without the latter having a rigorous HIPAA compliance initiative in place. Good luck trying to close a deal with Big Pharma without bringing your “A” game when it comes to the VDE contained within your compliance initiative.