BECAUSE I'M THE ORGANIZATION. Let me point out where things break down: I used to do ADA shit. Had a boss who actually talked to one of the guys who drafted the ADA; when asked why certain aspects of the ADA were so vague, he was told that the plan was to let the courts establish caselaw. In other words, "we left it vague so that people would be sued so that this shit would go to the courts and do our jobs for us." So it is with HIPAA. I can either become a health IT expert or I can trust that every service I use, from end to end, is HIPAA-compliant. And when you're dealing with EHRs that serve sites of less than a thousand users, the answer to "is this HIPAA-compliant?" is invariably "we'll get back to you on that." Further, are you breaking HIPAA compliance if, say, you forward your office phone to your cell phone? Well, T-mobile will point to Avaya and Avaya will point to T-mobile and if you're doing it through Google Voice Google will say "we're in Beta, fuck off" and there you are, liability hanging out in the breeze, breaking the law. And your argument is that Dude, fuck that shit. Fuck it in the neck. Fuck everything about it, fuck it sideways, fuck it upside down, fuck it raw. You're saing that "a few months" of wading through YOUR world is necessary for me to connect my wife's cell phone to my wife's office phone without breaking the fucking law. So yeah. We're at loggerheads. We don't agree. I want to buy that problem away so hard it hurts. Because the alternative is joining the Pod People in the belief that lawsuits are the righteous punishment for a lack of expertise. Had a coworker. He used to be a license enforcement dick for Muzak. Means he'd wander around to restaurants and shake down people who were playing the radio instead of paying Muzak for their shitty $25/mo mechanical royalty service. So when the office we worked at wanted to put music-on-hold on our phone system, the asshole made the receptionist get a written letter of permission signed by a lawyer in order to use her fucking string quartet on our phone system. And he was technically correct - the worst kind of correct. But everybody else? They plug the fucking radio into the PBX and call it a day. Because we don't have time for that shit, and we shouldn't be required to. It isn't about blame. It's about a reasonable effort for a reasonable return, and you're advocating a strenuously unreasonable effort for a truly minuscule return.I'm saying hold the organization accountable for their mistakes, you seem to be saying hold the organization accountable for their mistakes, why are we arguing?
I've only tangentially worked with HIPAA, but with how detailed it is I'm sure there are data retention and offsite backup requirements in the law itself, so if you don't have them, you're most likely violating the law.
I have turned many 3s into 1s with a few months of experience, teaching, and priming with proper ways to find, locate, and read through reference documents.