Will you be able to prove compliance with, most notably, 45 CFR 164.308(a) et seq for protection of ePHI? Implementation of things like
- Administrative safeguards;
- Technical safeguards;
- Physical safeguards;
- Written coherent and comprehensive policies and procedures;
- Staff HIPAA training records;
- Publication and dissemination of revised patient privacy practices;
- Breach notification procedure;
- Patient ePHI data request procedure;
- Omnibus-compliant Business Associates Agreements (BAA).
Maybe you're banking on not getting audited, at least until after you've had time to cobble this annoying stuff together post hoc.
Maybe. Maybe not. post hoc isn't going to cut it. That would be fraud.
HIPAA Hunting Season is about to commence in earnest. I wrote a prior HIPAA post in May of 2012, btw.
More to come...