Monday, May 17, 2010

Much said lately about Security/Privacy, but really nothing new

There was lots of healthcare related privacy and security news last week, but ultimately not much new was said.
All have the same theme. There is now a forcing function in OCR and their Breach Notification web site. It is time to dust off the Risk Assessment tools, Document what you do, and do what you document. To emphasize this, OCR released today Security Rule Draft Guidance
The Office for Civil Rights (OCR) is responsible for issuing periodic guidance on the provisions in the HIPAA Security Rule. (45 C.F.R. §§ 164.302 – 318.)  This series of guidance documents will assist organizations in identifying and implementing the most effective and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic protected health information. The materials will be updated annually, as appropriate.
Yes, nothing new… Well, what is new is a market place realization that they just might need to take security and privacy seriously.

1 comment:

  1. I won't trust the marketplace to drive this yet. The mere threat of consequences or anecdotal evidence in news reports does not make a market.

    What we have now is the same calculus that makes people willing to forego medical insurance. If the risk feels remote, they prioritize the risk mitigation lower. They do this whether or not it makes objective sense from a risk analysis viewpoint. One serious and costly illness, for the person or a close friend, will change their calculus.

    What we need are heavy fines and prison sentences for privacy breaches. It needs to happen so often that it is no longer headline-worthy. The surety of adverse consequences will make risk calculations easier, and it will drive the market.