The Case of the Breakup Bombshell When an associate OD’s eminent divorce from his IT wife seriously affects the practices HIPAA audit status, what’s the practice owner to do? Dr. Fuller’s multi-doctor private practice had barely survived 2020: the pandemic, unemployment claims, staffing shortages and even a late night break-in. Then, a few months into 2021 the practice was victim to a ransomware attack. One of Dr. Fuller’s associate optometrists, Dr. Pullman, was married to the owner of a mid-sized IT firm. When Dr. Pullman was hired in 2019 his wife Ginny offered a complimentary audit of the practice’s systems. Dr. Fuller gratefully accepted — she herself had no computer skills and could tell that Ginny was honest and knowledgeable. Up until then the practice had relied on a patchwork of part time college students to keep things running smoothly. Ginny’s audit revealed a myriad of issues and concerns, and when Dr. Fuller confessed she couldn’t afford the $1,200/month service contract Ginny moved most of the work off the books, taking projects on herself. Dr. Fuller signed a contract for $200/month — which covered third party subscription fees — and wrote off eyewear, contact lenses and medical care for Ginny, her two kids and her parents. The deal had worked out in Ginny’s favor financially, but the recent data breach was a heavy administrative burden and Dr. Fuller was grateful to have someone like Ginny when the threat of fines in the tens of thousands of dollars was at stake. One Sunday, while Dr. Fuller was catching up on charting, she got a text that Dr. Pullman needed to speak to her immediately. Ten minutes later he was in her office, disheveled and hoarse. “I’m going to need to cancel my patients tomorrow, and I’m not sure about the rest of the week,” began Dr. Pullman. His eyes were red and puffy. “Is everything okay?” Dr. Fuller asked sympathetically. “Ginny and I are splitting up,” he blurted. ABOUT THE AUTHOR NATALIE TAYLOR is owner of Artisan Eyewear in Meredith, NH. She offers regional private practice consulting and ABO/COPE approved presentations. Email her at [email protected] EDITOR’S NOTE: Real Deal is a fictional scenario designed to read like real-life business events. The businesses and people mentioned in this story should not be confused with actual businesses and people. Dr. Fuller fell back in her chair, shocked, then leaned over her desk to give her coworker a big hug. “I’m so sorry Doug,” she finally said, “I had no idea anything was wrong.” Dr. Pullman was quiet, then replied, “To be totally honest with you, I was unfaithful. She’s just found out.” Dr. Fuller sat back down and put a hand to her mouth. “Oh.” Just then her computer dinged with an incoming email. In an attempt to break the awkward silence she quickly looked at her screen — it was an email from Ginny. “Hang on a sec,” she said distractedly, scanning the message. “Oh. Oh. Ginny is discontinuing IT services, effective immediately.” “I’m sorry,” Dr. Pullman replied. “What a mess.” She continued reading. “That includes work on the HIPAA audit! Shit.” “Isn’t the audit documentation due on Thursday?” he asked. “She can’t do that. We have a contract — remind her we can sue her company!” Dr. Fuller shook her head. “Ginny’s work wasn’t factored in. The contract covers software and licensing fees and does require 30 days’ notice,” she said. “The bigger issue is she knows we didn’t have all the required security and safety protocols before the breach.” “So?” asked Dr. Pullman. “She’s now in a position to be a whistle-blower, which means I don’t know how honest I should be with this audit!” QUESTIONS TO CONSIDER 1. Should Dr. Fuller try to salvage the professional relationship her business has with Ginny? How? 2. How should the practice hold Ginny and her company liable for breach of the 30-day notice and the off-books arrangement? 3. If you were Dr. Fuller, how would you handle the data breach audit? Would you take a risk and submit backdated documentation? Fill out my online form.