HIMSS Study: 25% of Medical Practices Don't Do Risk Assessments (I think it's 80%)
I have been in healthcare since the late 60s and have spent most of that time dealing with physician practices at some level. My first job was working with orthopedic surgeons and in the late nineties I was developing physician practice management software. In 2001 I started helping office based surgeries get accredited with The Joint Commission. So I feel that I have a pretty good view of the state of privacy and security programs in practices.
I found this HIMSS study interesting because they polled "272 healthcare information technology and security professionals, one quarter of which indicated that they worked for a medical practice." In my experience having one of these professionals on staff would only happen in a large clinic or practice. Over 50% of practices have 4 physicans or fewer and are unlikely to have a security professional on staff or even as an outsourced resource. Another 15% have 9 physicians or fewer and might have an IT person but not likely that they would have a privacy and security professional.
So if we extrapolate that 33% of the larger practices don't do a risk assessment what percentage of the smaller practices haven't done a risk assessment? Anecdotally, I would guess 80% have not.
If these practices want to participate in "meaningful use", which means that could get $44,000 per physician over the next five years, they must do a risk assessment and begin to remediate the gaps in their security and privacy programs. This means that 2011 will be a busy year for risk assessment and remediation.
We are in the business of remediation and assurance. We help small CEs, BAs, and Subs get compliant, stay compliant and prove compliance with our Compliance Metertm .
Assure HIPAA HITECH Compliance with the Compliance Metertm
Here is the complete article about the HIMSS study: