Some quick HIPAA history – Is compliance born from risk analysis?
on March 26th, 2007 at 10:23 pmHere’s a comment I made on a post over at Riskanalysis.Is. The post was about how best practices should not be followed on blind faith, and it turned into a small (bit good) debate about the reasons behind compliance. Alex didn;t know about the history of HIPAA, so I decided to turn to my alter-ego, “The Enlightener”, to help out.
Many people think HIPAA is just about securing health information, hence the common misspelling – HIPPA – which people thinks stands for Health Information Protection and Privacy Act or something like that. If that was all HIPAA was about, then I would agree it is essentially useless. But in reality HIPAA stands for “Health Insurance Portability and Accountability Act” (nothing about “information” in there), and it was an attempt to standardize health records to reduce cost and fraud for Medicare and to protect American workers from the “pre-existing condition” issue in health insurance. The infosec piece came to be because of the realization that all this health information floating around could be misused (and that is NOT only information in electronic format – the privacy side of HIPAA deals with paper and the like).
It was actually fairly visionary for the government to think about the dangers of what they were doing. That’s not saying the regulation is worth a crap. But it proves that HIPAA was truly born from risk analysis / tolerance.
A good source of HIPAA history: http://www.hipaadvisory.com/regs/hipaahistorybyzon.htm
I have known so many people in the healthcare industry that didn’t know this little bit of history. And I am not talking about the janitors and the cooks who didn’t really need to know (though I would argue that to some degree). I am talking about executive level and director level individuals running a healthcare organization.
Vet
I do agree with you Michael. Many of the directors as well as high level executives working in healthcare are completely unaware about the whole what HIPAA is about. Unfortunately we cannot blame them for this but it is something that HIPAA regulatory authority should know about and they should need to take a serious step and effort in the direction of the same and should make an awareness about HIPAA at least to each and every healthcare providers and healthcare related organizations.
Michael,
Thanks for the post and the mention and the link. I had that much down, it was Adam’s “political horse trading†comment that kind of led me to believe there was something dark and sinister at work that I wasn’t aware of.
You know, the Illuminati, Skull & Bones, all that jazz
Or at least some urban legend like Mastercard SDP and Wal-Mart.