Slashdot Mirror
Medical Privacy Laws Highly Ineffectual
Rick Zeman writes "According to the Washington Post, since Americans gained statutory privacy for their medical records backed by the US Federal Government (via HIPAA), the Bush administration has received thousands of complaints alleging violations but has not imposed a single civil fine and has prosecuted just two criminal cases saying that they were pursuing 'voluntary compliance.'" From the article: "'It's like when you're driving a car,' said consultant Gary Christoph of Teradata Government Systems of Dayton, Ohio. 'If you are speeding down the highway and no one is watching, you're much more likely to speed. The problem with voluntary compliance is, it doesn't seem to be motivating people to comply.'"
Medical Privacy Laws [in the USA] Highly Ineffectual
Slashdotters all over the world are smart enough to know that the problem with those medical records is largely a local problem. That is to say, it is a US problem and not a problem for the whole world. Here in Sweden, we have no such trouble.
Having been the HIPAA security officer for the Home Health division of the nation's largest protestant health organization, I can tell you we spent MILLIONS trying to be HIPAA compliant. We locked down servers and databases (encrypted data on secured databases on secured servers on secured networks). We instituted dual-factor authentication and physical security. We stressed our management application to its limits doing our best to ensure patient security and privacy.
But, again, its the individual workers who matter. Like the time I found out our billers couldn't remember their countless insurance company BBS passwords, so they had a nice spreadsheet they shared. I couldn't get rid of it, but at least I had them put it in their drawers.
Good grief? Sure, but that was HIPAA compliant.
So, please, geeks of the world, let's not bash an entire industry based on one article.
How many of these cases were privacy violations due to accidents, staff inexperience, etc.? Do you really want doctors getting in legal trouble over trivial violations their first time or a particular staffer's first time? That is a GREAT way to drive up their insurance costs which only benefits lawyers and the insurance industry. You, in turn, pay higher medical costs.
And whatever happened to innocent until proven guilty? This sounds a lot like the feminist tendency to say "she claimed she was rape, and women never lie about rape, thus she must have been raped." People get impassioned and complain all of the time for invalid reasons. People also complain out of ignorance, what they feel the law ought to be, etc. Broadcasting would be dead if every complaint sent to the FCC was taken at face value, and every slip of indecency were fined.
How about we work toward some real privacy like, I don't know, fighting to keep the DMV from selling our records, the IRS our tax records (they want to do that now), get laws passed making law enforcement DNA databases available only to the police and NEVER to insurance groups, the DoJ requiring mandatory data retention and things like that.
The problem is that the health care facility doesn't care either.
My wife works in a hospital processing insurance. She complies with HIPPA (because privacy of her medical records is important to her), and will report the many violations she sees (technically, she could be fired for not reporting). However, her manager and upper management never do anything but give a verbal warning.
There have been some pretty major violations too. They just don't care.
Check this out.
i rs-archive-control-sold-to-lowest-bidder-177771.ph p
http://www.consumerist.com/consumer/irs/breaking-
Talk about your privacy in jeapordy. How long before these records end up on an insecure server, or off shored to where people don't give a crap and sell the information. Identity theft anyone? How is keeping records secure *not* a core function?
Every day I wake up amazed at the sheer stupitiy around me.
putting the 'B' in LGBTQ+
Case in point: My father was hospitalized and I was called to approve treatment over the phone. The ER personnel never gave me the HIPPA security code. Later I called to check on his status. The nursing desk staff refused to give me that information citing HIPPA. Uh...they called me as medical power of attorney to give permission to treat him yet they never gave me the top-secret security code. When I pointed out how ludicrous that was they just used HIPPA as the reason to not give me my dad's health status. I managed to bypass the idiocy with the use of said Protected Healthcare information to get the information requested. It just shows that laws are made by the powers, but the analysis of the use-cases that will interact with the laws have not been given the proper review for the cases that are exceptions. So, all that said, nothing surprises me.
--Cally
Last year my health insurance company, in response to a billing dispute, send me a full page from their billing database. The record for my family took up just one paragraph, and above and below it I could see other patient names, billing codes, account numbers, and more.
I asked them to explain this, and got no response. I sent the sheet of paper to the US Department of Health & Human Services. A few months later I got a letter back in the mail from them, stating that they had investigated the situation, the provider (Humana) admitted making a mistake which resulted in a privacy violation, and they weren't going to do a damn thing about it.
So, I'm hardly surprised by this article. Still it's sad to see I was in the 73 percent of cases.
First, there is a LOT to HIPPA to understand. People often think any discussion of their medical history is a violation. The truth is you sign a lot over when you sign HIPPA wavers. For instance, the right for your care giver to discuss anything about you with any other potential care giver (often)...you want this, trust me.
One of the areas that does continually suprise me is that medical records are stored, transmitted and displayed all in clear text. Some of the major manufacturers of the healthcare software often use FTP (not Sftp) to exchange records with their customers. Even internally with in a hospital, records are transmitted from one system to another in clear text.
If you want security, ask your care give how they are protecting your electronic records.
RTFA! This is not about "laws", it's about one law: HIPAA. And it's not that the law is "ineffectual", it's that enforcement of the law is virtually nonexistent.
After a year long bout with several parallel ailments, my GP asked me how I was, and I replied "except for the writer's cramp, just fine". Every visit to a MD office now requires that you fill out and sign the form that swears they promised under HPPA not to divulge anything (maybe not explicitly required but it seems everyone's in CYA mode on every visit).
As he observed, "What do they think I'm going to do - run out into the parking lot and yell to passers-by 'You'll never guess what Pellino's got...!'"
And as I observed - you get three or more seniors in the waiting room, and no matter how the small talk starts, it always becomes a grand exposition of their ailments. "Huh! You don't know from gallstones! I should be so lucky to just have your gout!" and on and on and on...
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
HIPAA marked a big transition in regulation because:
a) enforcement is complaint-driven, rather than having an inspection apparatus.
b) It "scales": for many provisions, you can provide an explanation why you should be able to take an alternate (less onerous) measure.
c) it explicitly focuses on management controls much more than data specifics.
As a practitioner, I think this was a good approach (note that part c was taken up in earnest by Sarbanes-Oxley). Data privacy is an extraordinarily complicated affair, and one that is still evolving. Frankly, it's not like other industries in charge of personal data (e.g. finance) have done all that well either. And regulation itself takes time to settle down. Neither of these issues were explored at all by this article. I'd say given how much HIPAA differed from other regulation, and how dynamic the situation is, the implementation timeline has also been reasonable.
Additionally, medicine is an extraordinarily fractured industry. There is no smooth "supply chain" type model for moving patients or data through the system, rather nearly every transaction is negotiated. The parent touched on this, but I'll go a bit further: a large fraction of medical transactions require human intervention to move data, and a huge amount of medical data has yet to be digitized. This is in stark contrast to physical industries like airplanes or retail, all of which have systematized many or most of their transaction chains.
I'd say the right thing to do is to give the regs more teeth by prosecuting a few of the worst offenses. Basically, make it easy to show how and why disclosures caused damaged. This will put people on notice that the government is serious about the regs. If that doesn't work, the regs themselves can be tightened up, hopefully in the context of broader data privacy legislation.
This is a classic case of why consumers should have a private right of action to sue in court under the civil law. HIPAA does not allow individuals to sue a hospital or doctor for violations of the statute. (However, a stricter State statute or privacy or contract law might allow a suit)
s ue.htm and http://www.abanet.org/buslaw/blt/2001-11-12/meade. html
There is a growing trend in U.S. Federal Law that grants people rights, but does not allow them a remedy if there is a violation of these rights. This is a direct outgrowth of 20 years of conservative Supreme Court rulings that have gutted the power of the Judiciary to provide remedies for violations of the law.
The thought process is "well, Congress said you have a right to have your information kept private, but didn't explicitly say that anyone besides the State can enforce this remedy, so oh well, your screwed if the government doesn't want to do anything."
This thought process is not only unjust, but goes against 500+ years of legal of Common Law. Where you have a right, you should always have a remedy. It is an axiom, and 20+ years of Republican Judicial Activists have destroyed this notion. It is not right, and it is not fair. And it is not conservative. It is radical and undemocratic, and goes against the rule of law.
See: http://www.privacyrights.org/fs/fs8a-hipaa.htm and http://www.healthlawtoday.com/hipaa/files/rightto
As a practitioner, let me say that HIPAA is being fairly actively enforced. There are some fairly bone headed breaches from time to time, but there are bone headed privacy breaches in every industry. I can tell you that there have been incredible unintended consequences. First, millions to billions have been spent (and are continuing to be spent) on HIPAA compliance. For the most part, this is money spent nominally on health care that is completely administrative in nature. Ever wonder where all of that 13% of the GDP spent on health care goes? A bunch of it is being spent on HIPAA compliance offices, with 4-6 FTEs being spent training, and doing paperwork. Not a terribly cost effective way of improving health care. Second, everyone now is safety wired into the "don't tell anybody anything" position. If your spouse is in the hospital, and you do not have a designated HIPAA compliant health care proxy, you (by HIPAA rules) don't get to know anything, other than where she/he is. No diagnosis, no prognosis, not what happened, nothing. If he/she didn't or wasn't able to make the designation in writing on admission (i.e. was run over by bus) you will need to jump a bunch of legal hurdles to get the information released. As a medical consultant, it is very hard for me to get information from people trying to refer patients to me. Too often I get the "I can't tell you that; HIPAA" line. Although, to be honest, this is a misinterpretation of the law, but many institutions have taken the view that "unless I have a piece of paper which explicitly states I can release information to you, I'm not telling you crap".
Never mind that we live in a small town where Mrs. Smith and Mr. Jones went to kindergarten together and come from families that have been here for 150 years. And forget that my wife is a podiatrist and that visiting her isn't inherently compromising (unlike, say, sitting in the lobby of a clinic for sexually transmitted diseases).
So, according to HIPAA, my wife is breaking the law each and every time she treats her patients like people instead of numbers. We haven't had a complaint yet and don't expect to, but could technically be busted for violating Mrs. Jones's privacy at any moment.
Dewey, what part of this looks like authorities should be involved?