Here’s a comment I made on a post over at Riskanalysis.Is. The post was about how best practices should not be followed on blind faith, and it turned into a small (bit good) debate about the reasons behind compliance. Alex didn;t know about the history of HIPAA, so I decided to turn to my alter-ego, “The Enlightener”, to help out.
Many people think HIPAA is just about securing health information, hence the common misspelling - HIPPA - which people thinks stands for Health Information Protection and Privacy Act or something like that. If that was all HIPAA was about, then I would agree it is essentially useless. But in reality HIPAA stands for “Health Insurance Portability and Accountability Act” (nothing about “information” in there), and it was an attempt to standardize health records to reduce cost and fraud for Medicare and to protect American workers from the “pre-existing condition” issue in health insurance. The infosec piece came to be because of the realization that all this health information floating around could be misused (and that is NOT only information in electronic format - the privacy side of HIPAA deals with paper and the like).
It was actually fairly visionary for the government to think about the dangers of what they were doing. That’s not saying the regulation is worth a crap. But it proves that HIPAA was truly born from risk analysis / tolerance.
A good source of HIPAA history: http://www.hipaadvisory.com/regs/hipaahistorybyzon.htm
I have known so many people in the healthcare industry that didn’t know this little bit of history. And I am not talking about the janitors and the cooks who didn’t really need to know (though I would argue that to some degree). I am talking about executive level and director level individuals running a healthcare organization.
Vet
