A Sad Non-Compliance Story

We read today that the two physicians that ran Michigan-based Brookside ENT and Hearing Center have closed their business up and retired, following a non-paid ransomware attack that concluded with the criminals deleting the doctors' ePHI.

This is sad primarily for two reasons and is consistent with conversations that we've had with smaller practices (yes, we've been told that retirement is an option to HIPAA security compliance). By smaller, we don't necessarily mean one or two doctors and include specialists who are regionally known for the great procedures that they provide.

First of all, the patients absolutely lose out here. I can only assume that one or more will start a class-action lawsuit using HIPAA as a standard of care (i.e. due diligence that should have been applied to a federally-mandated compliance program). The loss of their most personal information and the potential hurdles that a new treating physician will inherit could mean the difference in a patient's life (or loss thereof).

Second, the doctors who clearly were not running a compliant HIPAA Security program lost. Yes, I don't know too many "poor" physicians in the second half of their careers and maybe they'll be okay financially when they retire. But I wonder how they will feel for the rest of their lives running into one of their former patients at the grocery store or movies, knowing that they've potentially "caused harm".

Two HIPAA points to consider here (more apply, but let's keep this simple):

• 164.308(a)(7)(ii)(A). Do you have a tested backup plan?

• 164.308(a)(7)(ii)(B). Does your disaster recovery plan include your backup media and has it been tested so you can recover from criminals who have encrypted or wiped out your ePHI?

Let's stop making these kinds of headlines, shall we? Compliance and security are achievable and affordable.

Stay (HIPAA) safe,

Alan -