Joe Eaton reports:
As the federal government prepares to spend up to $27 billion in stimulus funds to promote electronic medical records, a health technology industry survey suggests that a number of hospitals, health clinics, and insurance firms are violating federal security rules on patient data and putting sensitive health information at risk.
The November survey by the health technology trade association Healthcare Information and Management Systems Society (HIMSS) found that one in four of the 196 health organizations that responded do not conduct a formal risk analysis to identify security gaps in electronic patient data .
[…]
… no organization has ever been punished for violations of HIPAA’s data risk analysis provision, which is overseen by the Department of Health and Human Services (HHS). Since 1996, the agency has received approximately ten complaints that noted possible failure to perform risk analysis or risk management, according to Susan McAndrew, deputy director for health information privacy at HHS’s Office for Civil Rights; the civil rights office took over enforcement of HIPAA data security rules last July from the Centers for Medicare and Medicaid Services. None of the cases has resulted in penalties, which potentially range from $100 to $50,000 for a single violation and up to $1.5 million a year for multiple violations.
Read more on the Center for Public Integrity.