HIPAA in its early forms did very little to allow organizations to increase thier security. It in fact was largely ignored as a bother and something that would just cost money. The reason for this was that the enforcement and penalty was both weak and minor. Therefore it was not worth the investment from the eyes of a budget minded organization. However with the HITECH Act where penalties are now up to 1.5 million and it is now the State AG that is investigating the violations, Organizations are realizing that the risk is too large.

It unfortunately is small items that are often ignored that are the weak links, it is not that organizations do not have well established firewalls and corportate policies to enforce security, but it is the items behind the scene that “only cost money” or are “only for HR” that need to be invested in to ensure the security of the organization.

Mike, I am like you I do not want the Government meddling in my buisnessness, but on the other hand, I am not opposed to regulations from a body that would be a requirement to ensure security and privacy. In this economy where cash is analyized down to the dollar, Compliance is often the buzzword that allows IT to achieve it’s goals.