From USA Today:
…the number of federal regulations (enacted by administrative agencies under loose authority from Congress) carrying criminal penalties may be as many as 300,000.
And it gets worse. While the old-fashioned common law crimes typically required a culpable mental state — you had to realize you were doing something wrong — the regulatory crimes generally don’t require any knowledge that you’re breaking the law.
The linked article (read the whole thing) is about regulatory law in general but it has a very specific dental application.
HIPAA law continues to frustrate dentists. There is a good reason for that the law is vague and frustrating. Then there is the HITECH law. Most dentists are aware of HIPAA but few even know the HITECH law exists. Never the less dentists are subject to punitive fines under HITECH.
The article notes that many of the tenants of US law we all assume apply in fact do not apply to federal regulations. For example; Innocent until proven guilty. What this means in practice is that the government needs to prove that the accused broke the law. The accused does not need to prove innocence.
HIPAA data security rules simply do not work in this manner. If you, as a dentist, are accused of a data breach it is up to you to prove that you are innocent. Proving this has almost nothing to do with actual loss of data and potential patient harm it consists almost solely of having the proper paperwork filled out.
If you do not have an up to date policy and procedure manual you are guilty.
Data security and patient confidentiality is a serious matter. Sadly the regulations do little to actually protect patients while putting dentists and other medical professionals at grave risk for administrative penalties.