As the federal government prepares to spend up to $27 billion in stimulus funds to promote electronic medical records, a health technology industry survey suggests that a number of hospitals, health clinics, and insurance firms are violating federal security rules on patient data and putting sensitive health information at risk, The Center for Public Integrity reports. The November 2009 survey by the health technology trade association Healthcare Information and Management Systems Society found that one in four of the 196 health organizations that responded do not conduct a formal risk analysis to identify security gaps in electronic patient data. Failure to conduct a formal risk analysis is a violation of the Health Insurance Portability and Accountability Act (HIPAA), which became law in 1996. The deputy director for health information privacy at HHS’s Office for Civil Rights was quoted as saying “the agency hasn’t issued any fines because the goal of enforcement is to nudge doctors, hospitals, and insurers into compliance, not to punish them.” HIPAA and its state-focused HITECH regs are very complex.Security Magazine will be spotlighting hospital and healthcare security in its April issue. Do you want to be interviewed or quoted? Email