|
Reprints
Susan McAndrew, deputy director for health information privacy, OCR, told Healthcare Informatics earlier this year that her office is serious about enforcement. “It is HHS' expectation that covered entities and their business associates take these requirements seriously. HHS will continue to investigate and take action against those organizations that knowingly disregard their obligations under these rules,” she said. “While HITECH may be an incentive for covered entities, self-evaluation should be standard practice. To ensure compliance, covered entities and business associates should conduct regular internal audits, hold regular trainings for their employees, and have a prompt action plan in place to respond to incidents.”
Susan McAndrew
A recent study from the Traverse City, Mich.-based Ponemon Institute cited that healthcare organizations’ two most significant barriers to achieving effective data protection were dealing with the complexity of compliance and regulatory requirements, followed by lack of leadership around security. This was cited by 23 percent of the sample of 718 experienced IT and IT security practitioners who self-reported that their organization had achieved best practice status in data protection. Others in the sample that were from mainstream organizations (not identifying their organizations as achieving best practice status) were more likely to see lack of monitoring and enforcement of end users as their biggest challenge.
