There are two major ways the regulations have bite.  The first is a major hit to the bottom line, where an organization cannot accept credit card payments (such as what can happen with PCI) or an bank’s clients being told they need to switch providers (such as what can happen with FFIEC).

The second is where the organization’s reputation is impacted.  There are laws in 44 states that require security breaches to be publicly disclosed (http://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm).

HIPAA is now following the lead of these 44 states, adding significantly more bite with provisions in the new economic stimulus bill that was recently passed.  This bill requires that the DHHS (Department of Health & Human Services)  create a public website that identifies covered entities (including hospitals, insurance companies, etc) which have had public disclosures of protected health information for more than 500 individuals.

The site needs to include a description of what happened, the date of the breach and the date of discovery.  It also needs to include the type of unsecured protected health information that were involved (name, SSN, DOB, home address, account number, patient record, etc), how individuals effected should protect themselves from harm and what the organization is doing to investigate and respond to the breach.  (http://thomas.loc.gov/home/h1/Recovery_Bill_Div_A.pdf , Page 379).

No healthcare organization will want to be identified publicly as being weak on security practices.  This gives HIPAA more bite than it has ever had in the past.

This entry was posted on Wednesday, March 18th, 2009 at 11:12 am and is filed under General.