Today the Institute of Medicine (IOM) released a report, “Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research“…
You have to purchase the full report (for anywhere from $38.50 – $58.50), but you can get the “report brief” to find the high-level findings.
The focus of the report was how the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule impacted health-related research.
The bottom line message of the report is that the HIPAA Privacy Rule doesn’t have enough OOMPH! (my word, not theirs) in it to truly protect patients’ protected health information (PHI) because it lacks good safeguard requriements, and that HIPAA, as written, is too restrictive because of the requirements to obtain consent from patients to use their PHI.
It appears that the committee that performed the research and wrote the report consistented of all lawyers and doctors. If so, it is too bad they did not include information security experts to provide more balance to the report. Also, why didn’t they take the Security Rule into consideration?
It’s really silly that HIPAA was written with these two rules separated in such a way…and it has led to more confusion, security and privacy gaps and misunderstandings than it has accomplished with positive safeguard and privacy adancements.
Tags: awareness and training, HIPAA, Information Security, Institute of Medicine, IOM, IT compliance, IT training, policies and procedures, privacy rule, privacy training, risk management, security training