Re: "Compliance"

[Zon Owen]

Cory,   I think that you have done an excellent job of teasing out, and effectively illustrating, some important distinctions here.  That said, I would like to express a broader concern that does not necessarily apply to the present instance.   I subscribe to about a dozen HIPAA-related listservs, and on too many occasions I have seen people make highly problematic statements regarding what either their own company or some other entities were doing, or were planning on doing, or were believed to be doing.  Legal liability issues aside, I think that everyone on this list needs to understand that we are gradually transitioning from the conjectural to the actual where HIPAA compliance practices are concerned.   Given the complexity of the issues, the inconsistencies within the law and the rules, the multiplicity of opinions regarding what constitutes compliance, the lack of even a draft enforcement rule, and the lack of any indication of what either the Department of Justice or the courts will eventually decide justifies imposing a penalty, I would urge that we avoid naming specific entities as much as possible in our postings.  Short of that, you need to be very very sure of your facts.  And, of course, some entities will be more hostile the surer your facts are.  But there is a fairness issue here that is even more important than the libel issue.   I think that we can have candid and fruitful discussions and still describe potentially problematic practices in ways that are either hypothetical or at least don't name specific entities.  And, with rare exceptions, I think that fairness demands this.  I am not so much urging caution as a special consideration for the reputation of others.  I want our discussions to be open, frank, and vigorous.  We just need to minimize the unintended consequences that are so easily incurred when we share our thoughts with a thousand others.    - Zon Owen - (808)597-8493   PS-1:  If these compliance-related exchanges are going to continue, I hope that we can settle on a single SNIP listserv for these posts.  I will grant that this topic bridges the boundaries between the privacy and transactions workgroups, but this type of multiple SNIP listserv posting should be avoided whenever possible.   PS-2:  Welcome back, John C., however brief your stay!  We have missed your counsel! ----- Original Message -----   From: Dekker, Cory To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] ; [EMAIL PROTECTED] Sent: Tuesday, September 10, 2002 11:35 AM Subject: RE: "Compliance" Tim, I'm not an attorney either, but I have to work with some.  I have been involved in business and contract law far more that I would like. Specifically, I stated publicly that I know of organizations that PLAN to violate the letter of law, and that my organization is CONSIDERING such possible PLANS.  Call up your local Police Department and tell them that your neighbor's kid said that next month, after the neighborhood speed limit drops from 30 to 25, he knows of other neighbors who PLAN to occasionally exceed the speed limit, and his dad is CONSIDERING such possible PLANS.  I think you can guess what will (or better said, will not) happen.  Given the nature of the law, I'm not that worried.  Now, if the offense was that he plans to rape the little girl across the street, you would get a very different response (or at least I'd like to hope you would). Speaking to the nature of the severity of a HIPAA violation, DHHS has publicly stated that they are not out to cause damage to the Health Care Industry.  As it is, there is already a lot of hardship being caused.  No one knows whether HIPAA violators will be treated as Child Molesters, or just occasionally be given speeding tickets.  The attorneys that I've talked to expect it to likely be more on the side of the speeding tickets, at least in the transactional compliance arena.  Privacy may be (and should be) a whole different story, but the context that we're talking about here, is Tx IG compliance.  As I pointed out, strict compliance to the letter of the IG law is already known to be impossible.  Thus, I consider it a fairly safe bet, in light of DHHS's public statements, they don't intend to require "100% compliance" to the letter of the IG, especially where it contradicts itself. If you ask any over-the-road trucker, he will tell you that fines for over-weight violations are just part of his business plan.  Until people see some tenacity in compliance enforcement, there will be those who, like the trucker, see planning for the fines as the more cost-effective business plan. I'm not trying to make any judgments here.  Internally, our organization is doing its best to work towards 100% compliance, as best we can fine-tune the definition.  We have no delusions about our ability to achieve perfection, even though that is currently the goal.  We also know that being sensitive to our customers is fundamental to our business survival, and we are trying to keep our options open to that end.  I AM trying to acknowledge what I have heard "through the grape vine", and see if anyone is willing to openly talk about reality, instead of getting wrapped around the axel of the "100% compliance" fantasy (as seemed to be happening in a previous thread). Speaking of being realistic though, I fully expect that this discussion won't go very far... -Cory The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited.