Rules for patient data security remain widely unenforced

"As the federal government prepares to spend up to $27 billion in stimulus funds to promote electronic medical records, a health technology industry survey suggests that a number of hospitals, health clinics, and insurance firms are violating federal security rules on patient data and putting sensitive health information at risk," The Center for Public Integrity reports. "The November survey by the health technology trade association Healthcare Information and Management Systems Society (HIMSS) found that one in four of the 196 health organizations that responded do not conduct a formal risk analysis to identify security gaps in electronic patient data. ... failure to conduct a formal risk analysis is a violation of the Health Insurance Portability and Accountability Act (HIPAA), which became law in 1996." 

Susan McAndrew, deputy director for health information privacy at HHS's Office for Civil Rights, "said the agency hasn't issued any fines because the goal of enforcement is to nudge doctors, hospitals, and insurers into compliance, not to punish them." Industry insiders "say there have been few patient data security cases at HHS because the agency relies on media reports, complaints, and referrals from other agencies to learn of potential HIPAA rules violations, which has not generated a wide number of leads or investigations" (Eaton, 1/19).

---

This article was reprinted from khn.org with permission from the Henry J. Kaiser Family Foundation. Kaiser Health News, an editorially independent news service, is a program of the Kaiser Family Foundation, a nonpartisan health care policy research organization unaffiliated with Kaiser Permanente.