What Can We Learn about Healthcare IT Risk from HITECH? Risk Lessons Learned from the US HHS OCR Breach Portal

Abstract

The healthcare system in the United States has a sophisticated and an industry-unique set of legal requirements. At the Federal level, healthcare entities, which capture personal identifying information (PII) and also financially bill customers, are under two major laws Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH). The HITECH law requires public notifications of healthcare breaches consisting of 500 or more individuals. The notifications are posted to the US Health and Human Services (HHS) Office of Civil Rights (OCR) Breach Portal for the public to review. This research analyzes the previous year of data posted to the HHS OCR portal to gain empirical insights into healthcare IT risks. As risk informs budget, insurance allocations, and best practices, the real-live evidence analysis gives strong indicators of where stronger mitigating controls should be incorporated into the organizational Information Systems (IS) and overall healthcare infrastructure.