Because the ARRA legislation anticipates a massive expansion in the exchange of electronic protected health information (ePHI), the HITECH Act also widens the scope of privacy and security protections available under Health Insurance Portability and Accountability Act (HIPAA).
HIPAA .
The HIPAA Security Rule requires that covered entities conduct a risk assessment of their healthcare organization. A risk assessment helps an organization ensure it is compliant with HIPAA's administrative, physical, and technical safeguards. A risk assessment also helps reveal areas where an organization's protected health information (PHI) could be at risk (HealthIT.gov, 2014). HHS.gov recently posted its list of HIPAA breaches on its website revealing all the breaches that occurred since 2006, and of those breaches, a significant amount were due to lost or stolen laptops, desktops and servers. Of those breaches, a total 7.1M were due to loss, and 9.6M were due to theft (HHS.gov, 2014). The challenge here, as it pertains to HIPAA and assessing risk, is that no matter what precautions are put in place; i.e., encrypting, passwords, restricted access, etc., you are still only as secure as the person holding the data. Failure to comply with certain physical security measures also has an effect in theses breaches. In 2008, a compliance review by the Centers for Medicare and Medicaid Services (CMS) and the Office of E-Health Standards and Services (OESS) revealed that there was a significant lack of compliance on several factors of the HIPAA rule. Reasons for these noncompliance issues were not addressed, but one can speculate the noncompliance could have been due to cost incurred to become complaint was too overwhelming or deemed inessential. Another reason was that history has shown, as with other legislation, noncompliance didn't really cause any concern for mitigation for there weren't any harsh repercussions that went with said noncompliance.
