Friday, 30 September 2011
HIPAA Security. Are We Making Progress?
clear

The recent breach of 20,000 medical records at Stanford Hospital has me concerned.  The institution is part of Stanford University Medical Center and is a top rated health care provider.  Are we making progress on HIPAA security?  Are things getting better?  If this institution cannot effectively protect patient data, who can?  I analyzed the data on the HHS breach site, which reports medical records breaches (starting in 2009) of more than 500 records (www.hhs.gov) to see if I could see a positive trend.  The results are shown in the graph.

 

 

The data is not really showing a clear trend in either direction.  The vertical axis is pretty staggering in any case; the Stanford breach is only a blip on the chart.  Our Federal government has been putting great emphasis on medical records privacy.  Audits of HIPAA security will be starting in 2012 and could affect healthcare providers and their business associates.  Unfortunately, in perhaps typical government fashion, the detailed audit requirements have not been published.  

One of my concerns around HIPAA is the emphasis on compliance.  Good compliance does not result, necessarily, in good security.  Security managers need to develop effective security programs with compliance as only one "deliverable".

Should you be concerned about potential HIPAA security audits in 2012?  Statistically, probably not.  With 150 announced audits and the large population of covered entities (700,000) and business associates (1,500,000), your chance of an audit is about 0.000068.  This is the same probability as you or a family member being attacked by a shark.  But the audits will not be random and larger organizations will have a much greater chance of an onsite audit.

Should  you be concerned about HIPAA security breaches?  Yes.  Depending on the nature of the breached records, the consequences could be material.  Consider the fine of $1M levied by the Office of Civil Rights against Mass General for losing 200 records of AIDS patients.

In my next blog post, I will consider practical ways to secure HIPAA records and stay out of the news.

clear
Posted on 09/30/2011 11:01 AM by Frederick Scholl
clear
Monday, 5 September 2011
Other security blog posts here
clear

For more recent security blog posts that I have written, please check out:

 

Kraft Kennedy Security Blog

clear
Posted on 09/05/2011 11:15 AM by Frederick Scholl
clear