Slashdot Mirror

← Back to Stories (view on slashdot.org)

Medical Privacy Laws Highly Ineffectual

Posted by Zonk on from the get-effectual dept.

Rick Zeman writes "According to the Washington Post, since Americans gained statutory privacy for their medical records backed by the US Federal Government (via HIPAA), the Bush administration has received thousands of complaints alleging violations but has not imposed a single civil fine and has prosecuted just two criminal cases saying that they were pursuing 'voluntary compliance.'" From the article: "'It's like when you're driving a car,' said consultant Gary Christoph of Teradata Government Systems of Dayton, Ohio. 'If you are speeding down the highway and no one is watching, you're much more likely to speed. The problem with voluntary compliance is, it doesn't seem to be motivating people to comply.'"

3 of 133 comments (clear)

  1. Re:Considering the recent incidents..... by taumeson · · Score: 4, Informative

    Having been the HIPAA security officer for the Home Health division of the nation's largest protestant health organization, I can tell you we spent MILLIONS trying to be HIPAA compliant. We locked down servers and databases (encrypted data on secured databases on secured servers on secured networks). We instituted dual-factor authentication and physical security. We stressed our management application to its limits doing our best to ensure patient security and privacy.

    But, again, its the individual workers who matter. Like the time I found out our billers couldn't remember their countless insurance company BBS passwords, so they had a nice spreadsheet they shared. I couldn't get rid of it, but at least I had them put it in their drawers.

    Good grief? Sure, but that was HIPAA compliant.

    So, please, geeks of the world, let's not bash an entire industry based on one article.

  2. Why private rights of action matter by sweetnjguy29 · · Score: 4, Informative

    This is a classic case of why consumers should have a private right of action to sue in court under the civil law. HIPAA does not allow individuals to sue a hospital or doctor for violations of the statute. (However, a stricter State statute or privacy or contract law might allow a suit)

    There is a growing trend in U.S. Federal Law that grants people rights, but does not allow them a remedy if there is a violation of these rights. This is a direct outgrowth of 20 years of conservative Supreme Court rulings that have gutted the power of the Judiciary to provide remedies for violations of the law.

    The thought process is "well, Congress said you have a right to have your information kept private, but didn't explicitly say that anyone besides the State can enforce this remedy, so oh well, your screwed if the government doesn't want to do anything."

    This thought process is not only unjust, but goes against 500+ years of legal of Common Law. Where you have a right, you should always have a remedy. It is an axiom, and 20+ years of Republican Judicial Activists have destroyed this notion. It is not right, and it is not fair. And it is not conservative. It is radical and undemocratic, and goes against the rule of law.

    See: http://www.privacyrights.org/fs/fs8a-hipaa.htm and http://www.healthlawtoday.com/hipaa/files/righttos ue.htm and http://www.abanet.org/buslaw/blt/2001-11-12/meade. html

  3. HIPAA's unintended consequences by Wilf_Brim · · Score: 4, Informative

    As a practitioner, let me say that HIPAA is being fairly actively enforced. There are some fairly bone headed breaches from time to time, but there are bone headed privacy breaches in every industry. I can tell you that there have been incredible unintended consequences. First, millions to billions have been spent (and are continuing to be spent) on HIPAA compliance. For the most part, this is money spent nominally on health care that is completely administrative in nature. Ever wonder where all of that 13% of the GDP spent on health care goes? A bunch of it is being spent on HIPAA compliance offices, with 4-6 FTEs being spent training, and doing paperwork. Not a terribly cost effective way of improving health care. Second, everyone now is safety wired into the "don't tell anybody anything" position. If your spouse is in the hospital, and you do not have a designated HIPAA compliant health care proxy, you (by HIPAA rules) don't get to know anything, other than where she/he is. No diagnosis, no prognosis, not what happened, nothing. If he/she didn't or wasn't able to make the designation in writing on admission (i.e. was run over by bus) you will need to jump a bunch of legal hurdles to get the information released. As a medical consultant, it is very hard for me to get information from people trying to refer patients to me. Too often I get the "I can't tell you that; HIPAA" line. Although, to be honest, this is a misinterpretation of the law, but many institutions have taken the view that "unless I have a piece of paper which explicitly states I can release information to you, I'm not telling you crap".