HIMSS: Health organizations not prepared for new HIPAA rules

Following closely on the heels of the publication of an HHS interim final rule that sharply raises civil penalties for HIPAA privacy violations comes a report from HIMSS that healthcare organizations are woefully underprepared to meet the new, tougher HIPAA privacy and security requirements called for in the American Recovery and Reinvestment Act.

The second annual HIMSS Security Survey, conducted by HIMSS and Symantec, found that healthcare organizations in general have not increased their security budgets or made explicit plans on how to respond to security threats or breaches. Nor are they taking advantage of widely available security tools to protect patient data; just 25 percent of respondents electronically analyze data they collect from audit logs of servers and firewalls. And while two-thirds of responding organizations encrypt data during transmission, less than half take similar precautions with stored information.

Even with the tougher security and privacy rules, healthcare organizations have not increased their budgets for information security this year, as about 60 percent of respondents to the 2009 survey devote no more than 3 percent of their IT funding to security, about the same as last year.

To learn more about these findings:
- peruse this Government Health IT story
- view the survey report (.pdf)

Related Articles:
HHS raises maximum HIPAA privacy fines to $1.5 million
U.S. hospitals have security 'blind spot'
Clinical IT leads to security neglect at hospitals