We've spent gazillions of dollars on HIPAA Security compliance-- some needed, but some of which I think we contrive for no good reason... screening and trapping outbound email for HIPAA-sensitive terms is one of those risk mitigators that, to me, has incredibly low value. As we get our security feet on the ground in healthcare, we tend to spend big bucks locking the front door while leaving the backdoor wide open.
I've had this theory that most of our patients would prefer that we protect their personal identity and financial information first, and then protect their personal health information. But, HIPAA has consumed us while Red Flag is a latecomer invitee to the party. That order of invitation and attention never made sense to me and I would argue that we need to balance our investment and attention in IS security risk management towards our patient's perspective of risk, not ours. Remember that, Risk = The Probability of Something Bad Happening x The Consequences. Many of us tend to focus on one or the other, but you need some of both to equal "Risk." Likewise, drive either variable towards zero, and you can forget about the other.
I'm running a simple little survey (which will drive PhD-survey designers nuts) to test the theory. Click here to take the one question survey: Your Money or Your Life and I will report the results in a few days.