I have been seeing articles and blog posts about HIPAA having no teeth. I posted something about it last week. Mike Rothman mentioned my post in today’s Daily Incite (welcome back, Mike), and he correctly interpreted my post as stating that HIPAA is basically useless when it comes to enforcement (at least, so far). But Mike went a step farther by saying this:
“…healthcare organization[s] continue to invest in security, but it’s to protect private information (to avoid the negative brand impact of a breach) and also to improve patient care (identity management and SSO stuff), but it ain’t because of HIPAA.â€
Here’s the question: Will healthcare exec’s actually continue to invest in security if they see that HIPAA is not a real threat to them or their organization, even with the concerns that Mike states?
I know from personal experience that IT is typically not a healthcare executive’s favorite place to spend money. They would (somewhat justifiably so) rather spend it in the clinical areas, where they see the money being made. With HIPAA not being enforced and non-government compliance agencies like JCAHO not really looking at the IT side of things (unless you have an EMR (Electronic Medical Records) system, what is the incentive? I know many state (and likely federal soon) governments are forcing companies to notify when they have a breach, and that is a serious consequence, but I am not convinced that it is enough.
So have healthcare security pro’s ridden the HIPAA train as far as it will go?
Vet
