Two years ago, the HITECH Act toughened health care data breach penalties significantly. It seemed HIPAA finally had enough teeth for the industry to take it seriously.
Perhaps not. More than 360 breaches have been reported to the Department of Health and Human Services (HHS) since September 2009. After the latest, which affected 16,000 UCLA Health System patients, U.S. Sen. Al Franken (D-Minn.) said enough is enough.
Last week Franken, chairman of the Senate Subcommittee on Privacy, Technology and the Law, called for even tougher health care data breach penalties and enforcement rules from the Office for Civil Rights. The OCR told Franken that tougher rules were in the works but couldn’t provide a specific timetable.
That is unfortunate. Health care data breaches are preventable through employee education, HIPAA-mandated security risk assessment and, of course, technology. Encryption, network security, identity management and device management systems all come to mind. Plus, every high-profile health care data breach further erodes public confidence in the use of electronic health records, which, as public opinion suggests, are much easier to steal than a filing cabinet.
Will tougher rules finally give the industry a much-needed kick in the pants? The OCR’s random HIPAA audit program did begin last week, and while it represents the first time the government will proactively evaluate health data security, instead of waiting until a breach has occurred, it’s unclear if the audits will serve as more than “teachable moments.”
By and large, the presence of a police car parked behind the bushes and the threat of a speeding ticket do little to deter speeding. Too much is at stake for health data security to receive a similar brush-off.