At the same time, he acknowledged that simply building security features into a system doesn’t ensure that the data will be protected if no one reviews the logs, insists that passwords be changed regularly and so on.
“Everyone in this field of privacy and security acknowledges that the weak link is humans and their training,” Leavitt said. “So you get a false sense of security. You look at the features and you’re quite impressed, but most breaches occur because of human problems.… It’s very important to recognize that the human component — the training component and the policy component — is as important or more important than the software features. You never want to focus only on these technical features.”
In the same vein, most of the people interviewed for this article mentioned the need for HHS to more strongly enforce HIPAA rules. The department enforces the rules only when someone complains. When HHS discovers violations, officials have chosen to work with the offenders to bring them into compliance rather than take them to court.
Without more rigorous enforcement, critics say, the public will have little confidence that health care providers are actually using audit trails and other EMR security features. Runyon noted approvingly that in March the HHS inspector general undertook an audit of an Atlanta hospital’s compliance with HIPAA’s security rules. It was the agency’s first such audit, but the IG is reportedly planning more.
Among other things, it discusses the Nationwide Health Information Network and health information exchanges (HIEs), also known as regional health information organizations, and their role in disclosure and auditing. My wife is on the Governor's Commission on this in our state, and I have been following it with great interest. As I know more, I'll report.