Privacy and security issues are said to be among the chief concerns for healthcare administrators facing new HIPPA regulations and a ramped-up electronic health record (EHR) incentive program.
A new study, however, indicates that many of those executives are failing to “walk the walk.”
In a report by consulting firm CSC, a HIMSS shows that fewer than half of large healthcare organizations - 47 percent - in the U.S. conduct annual security risk assessments and nearly six in ten didn’t dedicate any staff to security, as noted recently in InformationWeek. Fifty percent of respondents to the study spent 3 percent or less of its organizational resources on security.
New data security requirements for this field coming down the pike may have to force the issue, the report states.
Under the HITECH provisions of the American Recovery and Reinvestment Act, tightened HIPPA security provisions expected this fall will require breach notifications, restrictions on marketing and sale of personal health information (PHI) and the mandate of annual risk assessments.
CSC consultant Jared Rhoads told InformationWeek he wasn’t surprised at the lead-footed response to data security, noting some hospitals became complacent because HIPPA security rules hadn’t been enforced - until recently. Starting later this year or early 2012, the Office of Civil Rights (OCR) will begin auditing organizations for compliance.
New regulations, including the requirement for hospitals to conduct annual risk checks and fix any found problems under both Stage 1 Meaningful Use rules and proposed Stage 2 rules, may light a fire under lagging administrators.
Hopefully, better late than never.