Seconded, hard. You can't spend that $165K a year when you're staring down the barrel of willful HIPAA violations. Leave the company as soon as humanly possible. Leave and hope that the blowback from the inevitable disclosure--which won't be from your company--is happy enough eating the executive team that remains. And get a personal lawyer who understands HIPAA and explore avenues for whistleblowing; turning over on that company might be important for personal survival.

The story exceeds my suspension of disbelief. What particular jumps out at me is the backwards details - nobody off the street knows what "TPA" means, sure, but everybody who's ever gone to see a doctor knows what HIPAA is, even if they think it's called "HIPPA".

I think you are rather over-estimating the degree to which people read those standard forms: it’s akin to expecting everyone to read the full text on the “Are you sure?” dialog before clicking OK.

I don't know if I read the forms, but so what? Many if not most people don't do their own taxes, but they know generally what the IRS is and what it does.

I ONLY know of HIPAA from my work. Maybe it was on a medical form.. I don't visit the doctor much, can't recall.

I worked at a networking hardware startup outside Silicon Valley many years ago (during the first dotcom boom). It was run by two people, father and son, with no technical experience -- one previously ran a garbage collection company, as I recall, and the other was a sales guy -- and shortly after I started, I learned that the antics of them and their cronies had caused the entire engineering staff to have over 100% turnover in less than a year. Not only was no one left at the company who had originally had anything to do with the product's design, there was no one left at the company who had worked with anyone who originally had anything to do with the product's design. During the barely two years I worked there, the company had a system architect who talked about "making the code more flamboyant" and eventually fled the country for legal reasons, had a cold war between that architect and another executive in which the former was (badly) installing spyware on the latter's laptop, had the CEO earnestly tell us about how a former engineer had put, quote, "death code" into the system that the CEO had found and removed himself (this is, again, a man with no programming experience and the former engineer worked on the system-level C code; if he'd put "death code" in there, the CEO would not have been able to find it); on and on and on.

tl;dr: small tech companies run by completely non-technical people may not always be shit shows, but when they are shit shows, the shit can be pretty unbelievable.

Maybe it's bull. But it has the ring of truth to it, to me, and I've worked for a few healthcare startups. A lot of developers think of themselves as "just developers" and a lot of people are brutally incurious about the world until it hits them in the face.

> ... are brutally incurious ...

This is an amazing phrase.

Thank you. I try sometimes. ;)

Yeah, but the world generally hits you in the face by the time you turn 18 or maybe even before.

About some things, sure.

Not necessarily medical privacy.

Thirded.

Work at a hospital and in the orientation the first speech is given by the head of compliance who goes over what executives have gone to jail, why, and all the underlings that have been fired for seemingly innocuous HIPAA or PHI violations (looking at a friend's chart, posting on social media, etc).

The money sounds nice but OP could probably make the same at somewhere more reputable with less a chance of feds walking in and taking everything.

>You can't spend that $165K a year when you're staring down the barrel of willful HIPAA violations.

It's much harder for the government to take back your $165k after you've spent it all. Sure they'll garnish your wages but they'll do that either way so you may as well live a little in the meantime.

HIPAA is absolutely to be trifled with. Look up who is actually fined and face actual consequences from HIPAA violations. It is 99.99% big universities, hospitals, and insurance companies. Everyone else gets (at most) a slap on the wrist and has to promise not to do it again. Once in a while they’ll fine a small family practitioner $25k for not shredding papers properly but it’s a total joke.

HIPAA Compliance Services are something for consultants to sell so business owners can sleep at night. It’s like Lisa’s magic rock on the Simpsons that keeps tigers away. Does it work? I don’t see any tigers around here do you?

Seconded. I’m a physician that got so pissed off at how a practice was repeatedly and willfully violating HIPAA that I risked my standing in the local physician community and reported them.

I was basically told by the case manager, or whatever they call themselves, to fuck off.

Preach it. Reported my own psychiatrist for having a bunch of highly sensitive "followup" forms asking about medication, emotional state, etc. (and including patient name, address, other PII) on the practice website that transfered data over plaintext to a shared hosting server running PHP5 in debug mode that had been hacked by an automated script and was redirecting people on first visit from a fresh IP to a "Congrats! You're our 1000000th visitor" spam site. Haven't heard from OCR in over a year.

¯\_(ツ)_/¯

When I worked at an MSP, we supported a small dermatologist's office. Everyone had personal computer accounts but everyone had a password of '1234' so...yeah.

Agreed. The organization would likely get fined for a breach, not the engineer. I work a senior IT role in Healthcare and I've seen what breaches look like. I've never even heard of someone going to prison, let alone for what this story tells.

Yeah to go to prison you have to really screw up, in a way that is malicious and willful. Though the CEO driving over to his MLM buddy with a thumbdrive of PHI might do it.

Do you know what the actual risk is here?

Personally, I wouldn't stake my future on hoping the government doesn't notice what my hypothetical law-breaking company is doing. Or that my law-breaking unethical CEO won't lie and try to throw me under the bus if/when the company eventually gets caught.

I'll restate that I recommend OP talk to a knowledgeable lawyer to get an informed assessment of what kind of risks he/she is undertaking.

I understand the difference between odds and risk. The risk is high (assuming you use the harshest possible penalties) but the odds are infinitesimally long.

Google and find who has actually faced penalties from HIPAA violations and what those penalties were. How many serious fines/prison sentences have been handed down? Who was at fault? Were they random no-name startups?

I think you should also seriously consider blowing the whistle on this. Turn government's witness.