Many general managers still view HIPAA compliance as an unwanted and unneeded overhead cost – a distraction from providing quality patient care and bolstering the bottom line. They resent the federal ‘big stick’ and would rather have the autonomy to implement security as they see fit.
The problem with this approach is twofold. First, like many other industries, investment in information security is usually poorly planned and funded. Today’s sophisticated cybercriminal has easy pickings on the global internet smorgasbord. Second, the desire to share ePHI between organizations to improve patient care via Meaningful Use expects a foundation of reliable, accurate, standardized, available patient data. Without a reasonable expectation of ePHI security, Meaningful Use objectives are moot.
In the article, Is HIPAA doing what it’s supposed to do? Grant Elliot argues that developing a robust information security posture for any business should be a priority, especially one that stores lots of sensitive (indeed, life-critical) data. HIPAA security compliance is just a minimum standard. But implementing HIPAA security without a more holistic security approach can have its own risks.