Dental office refuses to comply with Hippa what would you do?

K

knc

Active Member
Reaction score
43
Location
Kingston, Ny
I have a client who has about 12 pc's some, win 2000, win xp, and win 7's. Refuses to upgrade or comply with Hippa, I don't do enough business with him (Obviously) to worry about losing him as a client..

Could I possibly be held liable for this as his IT consultant? Of course he will say I never recommended the need to become compliant?

Anyone else ever been in this situation?
 
knc said:
Could I possibly be held liable for this as his IT consultant? Of course he will say I never recommended the need to become compliant?
Click to expand...
Yes in theory you could. Send a certified letter with return receipt card outlining why he is not compliant and because of that you are severing ties and responsibility. Keep your copy of the letter and the card forever.
 
As the others recommended drop them as a customer advising why. If there is a breach it's not guaranteed that you would be caught in the net. But if you are insured your underwriter would most likely deny coverage if you were included in the litigation. And I would guess they would figure out a way put the whatever blame they can on you. If not the practice then their legal reps.
 
Your client's state of compliance is NOT your legal responsibility and you will not be liable for it.

However, your state of compliance IS your responsibility and you will be liable for that. If you are doing work for clients who are bound by HIPAA and that work involves certain functions with regards to Protected Health Information, then you are also bound by HIPAA, subject to audits and liable for certain actions or inactions.

That said, it could be your responsibility for your client's compliance if you are doing work that involves privacy and security of their systems. For example, lets say you fail to properly secure the firewall which results in a breach... you'll likely get hit with fines (as has already happened to others). Even more subtle, lets say the client has a breach that doesn't involve you or they are the winner of a random audit. One of the first things the audit will look at will be the vendors (IT especially). If there is not a Business Associate Agreement between your company and the client, you may be fined. Worse yet, you may be audited.

There are all sorts of scenarios and "what ifs" you can think of. But to answer the basics of your question... no, you are not liable for your client not wanting to follow the law... but you are liable for you. As @markverhyden stated as well, your insurance company would likely turn and walk away.

I'm more concerned about making sure you are protected if for no other reason than because you give a damn. Its not necessary that you dump him (though it may be best). But if you decide to keep him make sure you're still doing everything by the book and well documented. My experience has been that the dental community as a whole is not all that concerned with HIPAA.
 
knc said:
I have a client who has about 12 pc's some, win 2000, win xp, and win 7's. Refuses to upgrade or comply with Hippa, I don't do enough business with him (Obviously) to worry about losing him as a client..

Could I possibly be held liable for this as his IT consultant? Of course he will say I never recommended the need to become compliant?

Anyone else ever been in this situation?
Click to expand...
You can be in theory sued for anything. Depending on how the client spins it, you could be caught in the web. That's why you need insurance.

I would absolutely drop the client. Here is my take. If they care so little about complying with the law and protecting patient privacy AND they are so cheap they won't invest in upgrade...how will they treat the consultant? Where do you think you stand on the priority list of getting paid :-)
 
Might be good to have some docs on a similar provider that got nailed, so they can see what non-compliance can cost them. One might be able to tap a lawyer that specializes in this for a write-up/report/case study.
 
I agree with the above suggestions of terminating a relationship (certified mail is a great suggestion) with any client who willfully violates HIPAA. It can only lead to bad news for all involved when a violation is reported and penalties are levied. A CE is now required to notify individuals affected by a violation and we all know how litigious people are. Rest assured that if you are somehow involved, even indirectly, in a breech, you will be at risk. Also, be sure you understand your role and whether or not you are considered a CE Business Associate and have signed an agreement as such with the client, or, if the nature of your services will allow you to be exempt from this. As a CE Business Associate, you may be taking on more risk than necessary if you truly should not be considered a Business Associate. Take a look at this link...it has some great information on this.

http://www.hhhealthlawblog.com/2013/11/avoiding-business-associate-agreements.html
 
You definitely need to sever ties and like others have said send a notice to him certified with the reasons. It's not worth putting you and your company at risk.
 
As David mentioned above, make sure your house is in order. You can't control his actions but you can definitely make sure you're well prepared. One complaint from a patient or a disgruntled employee and this guy is hosed and you could easily get caught up in this mess.

When it comes to servicing covered entities and business associates, there's a lot involved. In my experience, much more than most I.T. consultants are aware of. David didn't plug his site/organization (other than in his sig) but I will. HIPAA for MSPs is a fantastic resource for those who service customers in the medical field.
 
You must log in or register to reply here.

Similar threads

thecomputerguy
Oprah says, "and you get a violation, and YOU get a violation, and YoU get a ViOlation!"
Replies
11
Views
1K
DRPCNZ
DRPCNZ
britechguy
How do you advise executors (or those under their direction) with regard to computers of decedents?
Replies
3
Views
941
Blues
Blues
Blue House Computer Help
Laptop repair gone south... what would you do?
2
Replies
39
Views
6K
HCHTech
HCHTech
thecomputerguy
Client basically told me he's dying and I really didn't know how to respond. How would you?
Replies
9
Views
1K
Mike McCall
Mike McCall
britechguy
For your clients with inkjet printers, do them a favor, tell them they need to print at least monthly
Replies
13
Views
1K
britechguy
britechguy
Back
Top