I'm not a huge baseball fan who lives for the sport. I played little league and one season in high school. As an adult I've played men's league slow pitch softball for years. Mostly just for the exercise and to hang out with friends. For me personally, the game itself just doesn't elicit the response that football or basketball does. I do however love to see a classic duel between a pitcher's pitcher and a hitter's hitter. The way they stare each other down, size each other up, try to anticipate the pitch or swing. The sequence might go something like this.
Curveball, high and inside. BALL 1.
Swing and a miss at a fastball down the center. STRIKE 1.
Off speed change up down and away. BALL 2.
Foul tip into the stands. STRIKE 2.
Curveball just outside the zone. BALL 3
The home plate umpire yells….FULL COUNT
This is it. Down to 1 pitch, 1 swing. Pressure is on both parties to perform at their peak. Who's gonna flinch?
I feel this is where most organizations are with the federal government in regards to information security. Starring down a Full Count. They've pitched us some curveballs like SOX and some dead on heat like HIPAA. We've sat back and taken a couple of pitches to see what's Uncle Sam's arm is like. We've swung at a few but only gotten a piece of it. Or maybe we've driven it deep but slightly foul. We're staring down a full count with Uncle Sam. If we (Corporate America) don't start taking information security and privacy more seriously and knock one out of the park, Uncle Sam is going to throw a 102 MPH fastball down the pipe and we'll "go down lookin'" as they say. The writing is on the wall. Just look at some changes "hidden" in the 1000+ pages of the American Recovery and Reinvestment Act (ARRA) of 2009.
It has some interesting implications for the health care industry. Previously, the HIPAA privacy and security regulations only applied to covered entities. These were typically health care providers and payers such as hospitals, physicians, health insurance plans and health information clearinghouses. Business associates (BA) who had access to the data via a covered entity simply had to agree to protect the data in a similar fashion but weren't specifically bound by HIPAA. Nor could they be penalized under HIPAA for a data breach.
The ARRA has something called the Health Information Technology for Economic and Clinical Health (HITECH) provisions which will expand data privacy and security as defined under HIPAA. HHS is in the process of rolling out new guidance which is expected to significantly broaden the reach of data security and privacy for the health care industry. This will include forcing business associates of a covered entity to be bound by HIPAA rules and regulations as well as increasing penalties and allowing states enforce some of the penalties. HHS will be releasing their new HITECH regulations sometime this month, so over the next week I'll provide some guidance on what to expect.