That's not to say, however, that healthcare organizations are actually doing what they should to comply with the rules. There are still laptops with unencrypted data floating around out there, just waiting to be lost or stolen. In January 2010, there were 35 reports of breaches affecting more than 500 individuals, resulting in 712,000 notices, according to McAndrew. Most of the reports were about personal health information contained in lost or stolen unencrypted media or portable devices.
McAndrews also noted that business associates can be held directly liable for a breach of unsecure protected health information and responsible for those hefty new fines. On the other hand, she went on to say OCR would consider decreasing or even waiving some of the penalties depending on the financial state of a violating hospital. The "settlement door is always open," she added. (Two and sixteen-eighteenths . . . two and seventeen-eighteenths . . .)
While you're waiting for mom and dad to finally get to three, be sure to check out the more detailed reports from last week's HIPAA summit in Washington, DC, by HealthLeaders Media's Dom Nicastro, including an article that outlines five ways healthcare organizations could be doing a better job at HIPAA compliance: