News Stay informed about the latest enterprise technology news and product updates.

Health care security, HIPAA compliance on deck for CIOs in Obama era

HIPAA enforcement has long been lax, but that's changing with stiffer HIPAA security and privacy rules and incentives to move to electronic health records.

The public focus on health care is arguably at an all-time high, with billions of dollars earmarked for the adoption of electronic health records and with federal agencies such as the Federal Trade Commission signaling a keen interest in penalizing organizations that fail to protect patient health information. That means, as one expert put it, that health care security is coming, ready or not.

While health care security gets its share of lip service, the privacy and security rules of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) have never engendered the fear and loathing of, say, a SOX audit, or even thePayment Card Industry Data Security Standard, the security standard for safeguarding against credit card fraud. Change is in the air, however.

Congress mandated improved enforcement of the Privacy Rule and Security Rule in the Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act, or stimulus bill, signed into law in February by President Barack Obama. The stiffened penalties for noncompliance and expanded scope of organizations subject to HIPAA rules are consistent with the government push for the adoption of electronic health records and the electronic transmission of health information.

In the past, the U.S. Department of Health and Human Services (HHS), the agency responsible for enforcing HIPAA, paid scant attention to infractions since the rules took effect in 2003. And the money that organizations put toward HIPAA compliance has borne that out. The health care industry allocates 10.9% of the IT operating budget to security, behind the 12.6% allocated to security by financial services, 12.5% by retailers and 11.1% by government institutions, according to "Healthcare Security: Ready or Not, Here It Comes," a recent report from Forrester Research Inc.

"Many chief information security officers (CISOs) in the health care industry struggle to get management's attention and are typically operating on shoestring budgets," writes Forrester analyst Khalid Kark in the report.

Below, we offer a sampling of recent stories on why how the health care security environment is changing and how and why IT executives throughout the health care supply chain must pay attention to it.

FTC pursuing HIPAA violations as a matter of consumer protection
The CVS Caremark case shows the FTC is ready to pursue enforcement of stronger HIPAA laws as a matter of consumer protection -- another reason to review security policies.

HIPAA-covered entities, business associates confront HITECH rules
An expert offers insights into how HIPAA-covered entities and business associates should implement new, tougher health care and data privacy rules set by the HITECH Act.

New HIPAA data breach notification rules put health industry on notice
New data breach notification rules for HIPAA have health care organizations scrambling to get their privacy practices -- and those of their partners -- in shape.

How to build a mature information security program: A crisis helps
Sometimes it takes a crisis to build an information security program. Eric Cowperthwaite, chief information security officer at Providence Health & Services, attests to that and has advice on security maturity.

Organization develops health care security framework
A new framework aims to help health care organizations deal with multiple requirements and provide specifics lacking in HIPAA.

HIPAA enforcement getting stronger
Agencies charged with enforcing HIPAA regulations have been slow to set policies for HIPAA compliance reviews and enforcement, but that's about to change.

HIPAA enforcement, more government audits leading to more convictions
Health care providers are taking steps to fight data thefts while agencies improve audits and HIPAA enforcement. As a result, convictions are up.

Dumped patient records underscore tougher HIPAA compliance rules
Health care providers who have played fast and loose with HIPAA compliance are in for a rude awakening, as a feistier HHS seeks to enforce stronger HIPAA provisions and penalties.

FAQ: What is the impact of HIPAA on IT operations?
This FAQ provides guidance on how the Health Insurance Portability and Accountability Act affects IT operations.

Let us know what you think about the story; email: Linda Tucci, Senior News Writer

Dig Deeper on Risk and compliance strategies and best practices

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.