Hard times on the HIPAA front

It's been a week of bad news for lazy or sloppy health care organizations. An employee fired after a security breach of protected health information filed a wrongful termination suit against his former employer, and it may have merit because of poor policies. A community health care provider hacked by a disgruntled employee may be dragged into a compliance quagmire because it's not clear that the organization took basic steps to revoke his access. And to top it off, the U.S. Department of Health and Human Services (HHS) is starting to swing the enforcement rule -- a dowdy part of the Health Insurance Portability and Accountability Act (HIPAA) that few people read -- like a scythe in a field of weedy policies and overgrown practices.

The first HIPAA audit by the HHS has been widely reported. Atlanta's Piedmont Hospital received notice of the audit, and much has been made of the information requested. But did we not see this coming?

With governance reform and example-making in legislative vogue (even if not entirely well-informed or evenly applied), it's surprising that some health care organizations behave as if nothing will come of the HIPAA rules. But audits are merely an examination; organizations ought to think more than a step ahead about discovery of failed controls or the immediate effect of a breach.