Health care security, HIPAA compliance on deck for CIOs in Obama era

By Linda Tucci, Senior News Writer 10 Sep 2009 | SearchCIO.com

IT news and analysis for CIOs Digg This!     StumbleUpon     Del.icio.us

While health care security gets its share of lip service, the privacy and security rules of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) have never engendered the fear and loathing of, say, a SOX audit, or even thePayment Card Industry Data Security Standard, the security standard for safeguarding against credit card fraud. Change is in the air, however.

Congress mandated improved enforcement of the Privacy Rule and Security Rule in the Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act, or stimulus bill, signed into law in February by President Barack Obama. The stiffened penalties for noncompliance and expanded scope of organizations subject to HIPAA rules are consistent with the government push for the adoption of electronic health records and the electronic transmission of health information.

In the past, the U.S. Department of Health and Human Services (HHS), the agency responsible for enforcing HIPAA, paid scant attention to infractions since the rules took effect in 2003. And the money that organizations put toward HIPAA compliance has borne that out. The health care industry allocates 10.9% of the IT operating budget to security, behind the 12.6% allocated to security by financial services, 12.5% by retailers and 11.1% by government institutions, according to "Healthcare Security: Ready or Not, Here It Comes," a recent report from Forrester Research Inc.

"Many chief information security officers (CISOs) in the health care industry struggle to get management's attention and are typically operating on shoestring budgets," writes Forrester analyst Khalid Kark in the report.

Below, we offer a sampling of recent stories on why how the health care security environment is changing and how and why IT executives throughout the health care supply chain must pay attention to it.

 FTC pursuing HIPAA violations as a matter of consumer protection
The CVS Caremark case shows the FTC is ready to pursue enforcement of stronger HIPAA laws as a matter of consumer protection -- another reason to review security policies.

 HIPAA-covered entities, business associates confront HITECH rules
An expert offers insights into how HIPAA-covered entities and business associates should implement new, tougher health care and data privacy rules set by the HITECH Act.

 New HIPAA data breach notification rules put health industry on notice
New data breach notification rules for HIPAA have health care organizations scrambling to get their privacy practices -- and those of their partners -- in shape.

 How to build a mature information security program: A crisis helps
Sometimes it takes a crisis to build an information security program. Eric Cowperthwaite, chief information security officer at Providence Health & Services, attests to that and has advice on security maturity.

 Organization develops health care security framework
A new framework aims to help health care organizations deal with multiple requirements and provide specifics lacking in HIPAA.

 HIPAA enforcement getting stronger
Agencies charged with enforcing HIPAA regulations have been slow to set policies for HIPAA compliance reviews and enforcement, but that's about to change.

 HIPAA enforcement, more government audits leading to more convictions
Health care providers are taking steps to fight data thefts while agencies improve audits and HIPAA enforcement. As a result, convictions are up.

 Dumped patient records underscore tougher HIPAA compliance rules
Health care providers who have played fast and loose with HIPAA compliance are in for a rude awakening, as a feistier HHS seeks to enforce stronger HIPAA provisions and penalties.

 FAQ: What is the impact of HIPAA on IT operations?
This FAQ provides guidance on how the Health Insurance Portability and Accountability Act affects IT operations.

Tags: Compliance strategies and best practices,  Enterprise data security and privacy,  Information technology laws,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Compliance strategies and best practices Information security and risk management guides for CIOs Email archiving solutions and strategies for enterprise CIOs Miscues abounded in Boston email retention policy, practices Enterprise risk management solutions for CIOs Addressing compliance requirements in cloud computing contracts Avoiding gotchas of security tools and global data privacy laws CIO turns to identity and access management to solve business problem Log management tool, SIM boxes combine to form security architecture Data protection quiz for enterprise CIOs Economic downturn hits IT budgets Enterprise data security and privacy GPS devices, geolocation data create privacy, security risks Network access control: Security advice for enterprise CIOs Data protection in the cloud: What's good enough? Healthcare IT standards still not clear Avoiding gotchas of security tools and global data privacy laws CIO turns to identity and access management to solve business problem Data protection quiz for enterprise CIOs Seven tips to improving enterprise data protection Employee layoffs pose security risk if systems access not disabled Health care CIO tackles complex security, privacy mandates Information technology laws Information security and risk management guides for CIOs Avoiding gotchas of security tools and global data privacy laws E-discovery and litigation guide for CIOs Document retention and disposal strategy Top 10 reasons to give thanks you're in IT PCI compliance deadlines have retailers scrambling Customized e-discovery tool lightens law firm's litigation load Firms bridging the gap between IT and the law Avoid lawsuit nightmares: New rules of engagement for e-discovery Regulatory compliance management guide for CIOs

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary GRC (governance, risk management and compliance) software  (SearchCIO.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary