Wednesday, July 4, 2007

Privacy and Security Review and Audit

Are you ready for an audit by a privacy and security oversight agency? Privacy legislation in many jurisdictions gives designated oversight agencies the power to review and audit the privacy, security and information handling practices of health care organizations.

According the Computerworld, health care organizations in the United States are on edge because the US Department of Health and Human Services (HHS) initiated an audit of Atlanta’s Piedmont Hospital for compliance under the HIPAA’s Security Rule. In an article dated June 19, 2007 Computerworld published a list of the 42 policies, procedures and other documents HHS asked Piedmont to provide.

Earlier this year the Information and Privacy Commissioner for Ontario (Canada) conducted a review of the Ontario Smart Systems for Health Agency (SSHA). SSHA provides the technical infrastructure for eHealth in the province of Ontario. The IPC report and SSHA’s response can be found on the SSHA Website.

Do you really have to worry about a review or audit by an oversight agency? I know that in Canada all of the Information and Privacy Commissioner offices are grossly under funded with respect to the review and audit role and would be challenged to undertake any kind of systematic approach to general audit and review. How strong is the capacity of HHS or oversight agencies in other countries to take on an aggressive role in this regard?

Audits and reviews are most likely to be initiated after a major security or privacy breach, or some other event that brings an organization to the overseer’s attention. The chances of being selected at random for a review or audit are likely the same as a plane crash. They happen, but the chances of it happening to me personally are pretty remote.

No comments: