There is a lot of misconception in the Healthcare Industry that if you are complying with the regulatory requirements you are automatically managing the risk. But the truth is exactly the opposite.
Laws such as HIPAA and HITECH (Omnibus rule) have laid down guidelines to be followed by covered entities for enforcing security and privacy of protected healthcare information (PHI). These laws require healthcare payers, providers, clearing houses and their business associates to be compliant in order to prevent them from being penalized. Many healthcare IT vendors and consulting firms help covered entities become compliant by meeting the bare minimum requirements, exploiting the loopholes or using some workarounds which leaves the security and privacy of the PHI compromised.
Risk management on the other hand deals with the identification, assessment, and prioritization of risks associated with the handling of PHI by the covered entities and business associates. This is followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of a security or privacy breach. Risk Management thus ensures higher privacy and security of healthcare information which cannot be achieved merely by compliance.
There are many incidents where the covered entity claimed to meet all the regulatory requirements but failed to secure the PHI. Attackers were able to easily compromise the privacy of healthcare data stored in their information systems. To minimize this risk Healthcare IT vendors and consultants should try to manage the risk better while designing solutions instead of merely making them compliant because if the risk is appropriately managed compliance will follow automatically.