Who’s Really Afraid of HIPAA?

Since 1996, HIPAA has become one of the most important and highly publicized pieces of healthcare legislation in the United States. Over this time it has also become one of THE biggest topics of conversation within the healthcare and security industries and with good reason-HIPAA involves two major issues, patients and privacy. What's truly amazing to me is that behind the scenes, one would naturally have to assume that the majority of healthcare organizations are being driven by the worry of the potential penalties that might be levied on them by the Department of Health & Human Services (HHS) for their failure to fully comply with HIPAA.

Something tells me the industry isn't quite as concerned as I thought. The latest piece of evidence lending credence to this suspicion involves the recent news around Providence Health & Services, which just last month was penalized for their violation of the privacy section of HIPAA. The fact that a healthcare organization failed to properly protect patient information is not unusual. There have been over 10,000 HIPAA-related complaints filed in recent years. There have also been numerous patient privacy violations as well, including the high-profile breaches that took place earlier this year at the UCLA Medical Center. What we have learned from these incidents is that while many organizations have taken concrete steps to protect their patients, many turning to access management and authentication management solutions, there are always going to be those that fail to properly address their areas of weakness. What really stands out to me is that while both complaints have been filed and incidents have occurred, Providence Health & Services holds what CSO Magazine's Bill Brenner describes as the 'uncomfortable distinction of being the first organization penalized for violating the privacy section of the Federal Health Insurance Portability and Accountability Act (HIPAA).'

That's right. While many healthcare organizations have failed to meet the regulations of HIPAA, fines such as the recent $100,000 bill levied to Providence Health & Services, have been few and far between. What this tells us is that while HIPAA has raised the bar for the protection of patient information and created an immediate call to action to most organizations, HHS has limited the effectiveness of HIPAA due to its lack of commitment to enforcing the guidelines. The result? Companies which should be focusing on meeting HIPAA's standards and considering the consequences they might face if they fail to do so are ultimately deciding to focus on other projects that they deem more important.

The question is - will HHS ever become more hands on within the industry regarding HIPAA? Because, until HHS becomes consistently more involved and penalizes those that are in violation, the industry will continue with its 'business as usual' approach instead of taking all the precautions as outlined by HIPAA. I'd be interested to know - are you addressing HIPAA? And, which is your greater worry - HHS levied fines, or media exposure to a data breach?

If you are interested in hearing more about how a specific healthcare organization - William Osler Health Centre - is leveraging technology to address HIPAA issues, feel free to sit in our September 9 Webinar titled, 'Imprivata, Single Sign-on and Biometrics Deployment: One Hospital Corporation, 3 Strategies.' See you there!

-John