Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Medical Privacy Laws Highly Ineffectual

Posted by Zonk on Mon Jun 05, 2006 06:34 AM
from the get-effectual dept.
Privacy Government Politics
Rick Zeman writes "According to the Washington Post, since Americans gained statutory privacy for their medical records backed by the US Federal Government (via HIPAA), the Bush administration has received thousands of complaints alleging violations but has not imposed a single civil fine and has prosecuted just two criminal cases saying that they were pursuing 'voluntary compliance.'" From the article: "'It's like when you're driving a car,' said consultant Gary Christoph of Teradata Government Systems of Dayton, Ohio. 'If you are speeding down the highway and no one is watching, you're much more likely to speed. The problem with voluntary compliance is, it doesn't seem to be motivating people to comply.'"
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Medical Privacy Laws Highly Ineffectual 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • I'd modify this story's title this way: (Score:3, Insightful)

    by bogaboga (793279) on Monday June 05 2006, @06:52AM (#15471265)
    Since http://www.slashdot.org/ [slashdot.org] is read through out the world, I'd modify this story's title to read...

    Medical Privacy Laws [in the USA] Highly Ineffectual

    Slashdotters all over the world are smart enough to know that the problem with those medical records is largely a local problem. That is to say, it is a US problem and not a problem for the whole world. Here in Sweden, we have no such trouble.

  • How many of these cases were privacy violations due to accidents, staff inexperience, etc.? Do you really want doctors getting in legal trouble over trivial violations their first time or a particular staffer's first time? That is a GREAT way to drive up their insurance costs which only benefits lawyers and the insurance industry. You, in turn, pay higher medical costs.

    And whatever happened to innocent until proven guilty? This sounds a lot like the feminist tendency to say "she claimed she was rape, and women never lie about rape, thus she must have been raped." People get impassioned and complain all of the time for invalid reasons. People also complain out of ignorance, what they feel the law ought to be, etc. Broadcasting would be dead if every complaint sent to the FCC was taken at face value, and every slip of indecency were fined.

    How about we work toward some real privacy like, I don't know, fighting to keep the DMV from selling our records, the IRS our tax records (they want to do that now), get laws passed making law enforcement DNA databases available only to the police and NEVER to insurance groups, the DoJ requiring mandatory data retention and things like that.
    • One case which I can comment on (up to a point) is one which I was involved in. There was a period, a while back, where we were just beginning to realize the extent of the spyware problem on PCs and we started to install two or three different antispyware applications on each machine. In this process, we discovered that two of our medical transcriptionists had been infected with keylogger trojans which were sending data to an internet marketing company. This, of course, had to be reported as a HIPAA viol
    • It's hard to figure out what's a violation and what isn't; in a 12 mile radius of me there are 7 people with the same first and last name as me, 3 of those people have the same middle initial. Obviously the release of my name wouldn't really be personally identifying, however if my name was qvidis.... it would.

      This HIPPA stuff is affecting patient care right now. 3 weeks ago I burnt my hand at work, so the boss drives me to the Port Huron Hospital ER (newly remodeled for increased HIPPA compliance); there i

  • It gets even better (Score:4, Informative)

    by plopez (54068) on Monday June 05 2006, @07:27AM (#15471404)
    Check this out.

    http://www.consumerist.com/consumer/irs/breaking-i rs-archive-control-sold-to-lowest-bidder-177771.ph p [consumerist.com]

    Talk about your privacy in jeapordy. How long before these records end up on an insecure server, or off shored to where people don't give a crap and sell the information. Identity theft anyone? How is keeping records secure *not* a core function?

    Every day I wake up amazed at the sheer stupitiy around me.

  • Why HIPPA is broken (Score:4, Interesting)

    by callistra.moonshadow (956717) on Monday June 05 2006, @07:30AM (#15471417) Journal
    Case in point: My father was hospitalized and I was called to approve treatment over the phone. The ER personnel never gave me the HIPPA security code. Later I called to check on his status. The nursing desk staff refused to give me that information citing HIPPA. Uh...they called me as medical power of attorney to give permission to treat him yet they never gave me the top-secret security code. When I pointed out how ludicrous that was they just used HIPPA as the reason to not give me my dad's health status. I managed to bypass the idiocy with the use of said Protected Healthcare information to get the information requested. It just shows that laws are made by the powers, but the analysis of the use-cases that will interact with the laws have not been given the proper review for the cases that are exceptions. So, all that said, nothing surprises me.
    • Let me give you a doctors perspective: HIPPA was created and implemented to, among other things, control the outrageous number of frivolous lawsuits arising from "breeches of privacy". Yes, it helps with privacy issues in medicine, and is needed for said reason. The lawsuits became a real burden in the 90's, just when medical malpractice lawsuits skyrocketed, as did insurance premiums. The Clinton's just sat back and watched, which doesn't surprise me- they've always been anti-doctor (I still remember t
      • Thanks for the tried and true GOP talking points: First, there's no problem here, move along. Second, if there is a problem it is because of the Clintons (or "Clinton's", if you prefer). Nicely done. Your tax cut is in the mail.

      • Re:Why HIPPA is broken (Score:4, Insightful)

        by callistra.moonshadow (956717) on Monday June 05 2006, @08:27AM (#15471740) Journal
        Sure, I agree that there are reasons for HIPPA. I used to work at a firm that required HIPPA certification and I hold a current HIPPA cert. What is troublesome is how the HIPPA laws are used to either avoid dealing with things that are broken, or that they don't necessarily protect the so-called protected information. It could also lead to a person's death if not handled by someone that can bend the rules when the exceptions arise. That's what has me concerned - the lack of a plan for when things don't flow through the gates as expected. It has nothing to do with which adminstration is in power and everything to do with what makes logical sense. The way a hospital enforces HIPPA is broken - at least in my opinion from personal experience.
        • >It could also lead to a person's death if not handled by someone that can bend the rules when the exceptions arise. That's what has me concerned - the lack of a plan for when things don't flow through the gates as expected

          Fortunately HIPAA explicitly requires (black and white) that there be an emergency override procedure in place.
      • 1. Why the hell do people keep calling HIPAA HIPPA? There are two A's, not P's.
        2. There are more lawsuits for "breeches of privacy" than from before HIPAA....I suppose the argument can be made that they're not "frivolous", but I just wanted to point this out.
        3. Some Doctors do make too much money. I know of doctors worth over 100 MILLION. I can't see a big difference between what they did (the one I'm thinking about died a few years ago) and what my GP does. And when it takes a 2 MILLION dollar starting
    • According to HIPAA, at least as of a couple years ago, no privacy violation was too small. Including, say, a nurse coming to the waiting room and asking for "Mrs. Smith". After all, Mr. Jones sitting next to her would then know that woman's name. Instead, the only proper method for calling patients back to the treatment rooms is installing one of those "take a number" dispensers, then calling patients by number.

      Never mind that we live in a small town where Mrs. Smith and Mr. Jones went to kindergarten together and come from families that have been here for 150 years. And forget that my wife is a podiatrist and that visiting her isn't inherently compromising (unlike, say, sitting in the lobby of a clinic for sexually transmitted diseases).

      So, according to HIPAA, my wife is breaking the law each and every time she treats her patients like people instead of numbers. We haven't had a complaint yet and don't expect to, but could technically be busted for violating Mrs. Jones's privacy at any moment.

      • So why doesn't your wife call for number 352 from the lobby, and then ask Mr. Smith how he is once he is out of the public waiting room? That way she could protect his privacy, not break the law, not be open to liability, AND treat him like a human. I don't think it's your wife's place to decide that Mr. Smith's comfort at the moment of being called out of the waiting room supersedes his right to medical privacy. Maybe nine out of ten -- or even 999 out of 1000 -- Mr. Smiths agree with your wife's decision,
        • So why doesn't your wife call for number 352 from the lobby, and then ask Mr. Smith how he is once he is out of the public waiting room?

          Because her patients expect to be treated like humans and humans don't like being called by number. In her practice, patients tend to be retirement age or older (except for the occasional younger person with a broken toe, etc.). That population would not react well to being numerically processed.

          She's much better off business-wise to upset the one person who's not use

      • Names aren't Protected Health Information. You can call them out any time and not get in trouble.
    • Speaking as someone who keeps a copy of the HIPAA regs ready to hand, I can say that what you describe is not a problem with HIPAA. Instead, it's a problem with that provider's stupid implementation. There is no "HIPAA security code" in the law.

      If you're involved in the patient's care, they are allowed to release information to you. They do have to have "reasonable belief", when releasing information, to verify that you are who you say you are and that you are actually involved in the patient's care. But t

  • Laws Not Enforced, my story (Score:5, Interesting)

    by tiltowait (306189) on Monday June 05 2006, @07:34AM (#15471442) Homepage Journal
    Last year my health insurance company, in response to a billing dispute, send me a full page from their billing database. The record for my family took up just one paragraph, and above and below it I could see other patient names, billing codes, account numbers, and more.

    I asked them to explain this, and got no response. I sent the sheet of paper to the US Department of Health & Human Services. A few months later I got a letter back in the mail from them, stating that they had investigated the situation, the provider (Humana) admitted making a mistake which resulted in a privacy violation, and they weren't going to do a damn thing about it.

    So, I'm hardly surprised by this article. Still it's sad to see I was in the 73 percent of cases.

    • I don't know what it is - but throughout my working history, I've never worked with people as incompetent as medical billing staff.

      At an annual auction fundraiser for a local hospital, I had the pleasure of giving a group of these people a 3-hour training to learn how to fill out a simple GUI with just 3 pieces of information: the item number, the price, and the name of the winner bidder. So it didn't surprise me when some study showed that up to 40% of current medical costs could be shaved off if all hospi

  • Software and Policies are at fault (Score:4, Interesting)

    by SpaceBass (57416) on Monday June 05 2006, @07:43AM (#15471484) Homepage
    First, there is a LOT to HIPPA to understand. People often think any discussion of their medical history is a violation. The truth is you sign a lot over when you sign HIPPA wavers. For instance, the right for your care giver to discuss anything about you with any other potential care giver (often)...you want this, trust me.

    One of the areas that does continually suprise me is that medical records are stored, transmitted and displayed all in clear text. Some of the major manufacturers of the healthcare software often use FTP (not Sftp) to exchange records with their customers. Even internally with in a hospital, records are transmitted from one system to another in clear text.

    If you want security, ask your care give how they are protecting your electronic records.
    • >One of the areas that does continually suprise me is that medical records are stored, transmitted and displayed all in clear text.

      HIPAA calls for encryption.

      It's an "addressable" requirement, which means you can skip it if you
      - document why you don't need to or can't do it
      - develop your own security measure which is just as good
      - collect and store evidence that your security measure is just as good

      In practice my clients are treating encryption as a requirement.

  • Lazy /. Editors Create False Headlines (Score:3, Informative)

    by Bored George (979482) on Monday June 05 2006, @07:58AM (#15471572) Homepage
    RTFA! This is not about "laws", it's about one law: HIPAA. And it's not that the law is "ineffectual", it's that enforcement of the law is virtually nonexistent.

  • Practical nonsense.. (Score:4, Funny)

    by jpellino (202698) on Monday June 05 2006, @08:09AM (#15471623)
    After a year long bout with several parallel ailments, my GP asked me how I was, and I replied "except for the writer's cramp, just fine". Every visit to a MD office now requires that you fill out and sign the form that swears they promised under HPPA not to divulge anything (maybe not explicitly required but it seems everyone's in CYA mode on every visit).

    As he observed, "What do they think I'm going to do - run out into the parking lot and yell to passers-by 'You'll never guess what Pellino's got...!'"

    And as I observed - you get three or more seniors in the waiting room, and no matter how the small talk starts, it always becomes a grand exposition of their ailments. "Huh! You don't know from gallstones! I should be so lucky to just have your gout!" and on and on and on...
    • "Every visit to a MD office now requires that you fill out and sign the form that swears they promised under HPPA not to divulge anything"

      Then your provider needs to get a clue.

      You only need to sign one HIPAA "Notice of Privacy Practices", once, for each provider. If they give you a second one, it's because their NPP was revised, or they've lost track of the fact you've already got one.

      The NPP shouldn't ever ask you for anything or limit any of your rights if you sign it. It exists to inform you of the clin

  • HIPAA Protect you from everyone but the government (Score:3, Informative)

    by hagbard5235 (152810) on Monday June 05 2006, @08:24AM (#15471713)
    While it's distressing that HIPAA is essentially seeing no enforcement, I find it more distressing that while it hinders movement of my medical information among my providers (requiring forms be signed by me, etc) it explicitely allows any law enforcement agent to waltz in without a warrant and assert without evidence that I am a suspect or victim in a crime and thus obtain my medical records.

    Everytime I hear someone throwing a fit about being able to obtain a warrant to get my library records I think of this. Funny how no one notices MASSIVE give aways of your privacy rights under democratic administrations. Oh, and look up 'know your customer' sometime too :)

  • Compliance is Audited (Score:3, Insightful)

    by ec_hack (247907) on Monday June 05 2006, @08:29AM (#15471759)
    Most major health care organizations use outside auditors to look at privacy compliance. It is taken very, very seriouly by hospitals and the other organizations. My wife has dealt with the auditors at the ambulatory surgery center where she practices. They have made all kinds of nit-picky changes to their procedures, many of which make no sense. Example: when patients with dentures or retainers go in for surgery, they have to take the appliance out and it is placed in a plastic container of water. The container has a label from the medical records printout attached. After the patient leaves, procedure was to throw the empty plastic container in the medical waste bin for disposal by burning. The auditor demanded that they peel the label off after use and shred it.

    My late father had to have an outside auditor survey his office in order to remain on the list of authorized providers at several major insurance companies.

    The regulations are ambiguous as can be, so violations are going to happen until the appropriate practices are worked out.

  • HIPAA = Health Insurance Portability and Accountability Act (of 1996)
    HIPPA = Hippopotamus. With an A.

    STOP SPELLING IT "HIPPA"!

  • Why private rights of action matter (Score:5, Informative)

    by sweetnjguy29 (880256) on Monday June 05 2006, @09:00AM (#15471943) Journal
    This is a classic case of why consumers should have a private right of action to sue in court under the civil law. HIPAA does not allow individuals to sue a hospital or doctor for violations of the statute. (However, a stricter State statute or privacy or contract law might allow a suit)

    There is a growing trend in U.S. Federal Law that grants people rights, but does not allow them a remedy if there is a violation of these rights. This is a direct outgrowth of 20 years of conservative Supreme Court rulings that have gutted the power of the Judiciary to provide remedies for violations of the law.

    The thought process is "well, Congress said you have a right to have your information kept private, but didn't explicitly say that anyone besides the State can enforce this remedy, so oh well, your screwed if the government doesn't want to do anything."

    This thought process is not only unjust, but goes against 500+ years of legal of Common Law. Where you have a right, you should always have a remedy. It is an axiom, and 20+ years of Republican Judicial Activists have destroyed this notion. It is not right, and it is not fair. And it is not conservative. It is radical and undemocratic, and goes against the rule of law.

    See: http://www.privacyrights.org/fs/fs8a-hipaa.htm [privacyrights.org] and http://www.healthlawtoday.com/hipaa/files/righttos ue.htm [healthlawtoday.com] and http://www.abanet.org/buslaw/blt/2001-11-12/meade. html [abanet.org]
    • >HIPAA does not allow individuals to sue a hospital or doctor for violations of the statute.

      Lawyers are good at finding workarounds.

      Don't know how the case turned out, but someone filed a negligence suit (not a HIPAA suit, you're right that those can't be done) on the grounds that the legal "duty of care" now includes following HIPAA.
    • I absolutely agree with you. But if a cause of action were created and people started suing, a bunch of short-sighted slashdotters would begin screaming and crying about how overly litigious our society has become, while only today they wailed and moaned about how our rights are not being protected. Litigation is one of the crucial, crucial enforcement mechanisms of some of our most sacred rights, and I wish more people would realize this. There are frivolous suits, yes, but overall the effect safeguards mu

  • HIPAA's unintended consequences (Score:4, Informative)

    by Wilf_Brim (919371) on Monday June 05 2006, @09:37AM (#15472178)
    As a practitioner, let me say that HIPAA is being fairly actively enforced. There are some fairly bone headed breaches from time to time, but there are bone headed privacy breaches in every industry. I can tell you that there have been incredible unintended consequences. First, millions to billions have been spent (and are continuing to be spent) on HIPAA compliance. For the most part, this is money spent nominally on health care that is completely administrative in nature. Ever wonder where all of that 13% of the GDP spent on health care goes? A bunch of it is being spent on HIPAA compliance offices, with 4-6 FTEs being spent training, and doing paperwork. Not a terribly cost effective way of improving health care. Second, everyone now is safety wired into the "don't tell anybody anything" position. If your spouse is in the hospital, and you do not have a designated HIPAA compliant health care proxy, you (by HIPAA rules) don't get to know anything, other than where she/he is. No diagnosis, no prognosis, not what happened, nothing. If he/she didn't or wasn't able to make the designation in writing on admission (i.e. was run over by bus) you will need to jump a bunch of legal hurdles to get the information released. As a medical consultant, it is very hard for me to get information from people trying to refer patients to me. Too often I get the "I can't tell you that; HIPAA" line. Although, to be honest, this is a misinterpretation of the law, but many institutions have taken the view that "unless I have a piece of paper which explicitly states I can release information to you, I'm not telling you crap".
    • Well said. I've been practicing medicine for about 10 years, and I've seen my share of mishaps regarding privacy (even today). The hospital I currently work out of is very strict when it comes to privacy, and the punishments are, for the most part, pretty harsh. But violations, as I've said before, are handled first at a local level, ie the hospital administration, unless a lawsuit is filed. So punishments tend to be non-publicized, but are still appropriate. The public don't hear about remedies unless

  • Warranties (Score:3, Informative)

    by Aram Fingal (576822) on Monday June 05 2006, @09:44AM (#15472228)
    I think the thing with HIPAA is that it takes time for it to improve security and privacy. Basically, you can handle it however you want as long as you justify your decisions in writing as being "reasonable." Reasonable security might mean that it would cost so much to do things more securely that it would adversely affect service. There are so many small niche markets for medical information software that your reason for poor security may simply be that you only have two or three vendors who serve your specialty and they all have poor security. Many of these applications were created before security was taken as seriously as it is now and many were designed for isolated LANs but are now being connected to the internet. I hope that the bar will be raised by those people who go the extra mile. Then the standard for "reasonable" will eventually become something which really protects privacy.

    This goes to the topic of software warranties. Most medical informatics software come with something like a "statement of HIPAA compliance." which basically says that the vendor has designed the software in a way that it can satisfy HIPAA if you do your part to make it secure. This is fine in itself. The problem is that these applications don't run in isolation. You need an operating system to run them on and they quite often only run on the operating system with one of the worst security track records in the business. They may also depend on other application software. For example, one which I work with uses Microsoft Word and Word Macros to handle reports from the database. It was designed that way in order to allow the integration of third party options like speech-to-text from a variety of vendors. The thing is that Windows and Word don't come with any statement of HIPAA compliance. They follow the common practice in the software industry of disclaiming all warranty including against negligence.

     

  • They bypass it legally. (Score:3, Informative)

    by r00t (33219) on Monday June 05 2006, @10:25AM (#15472550) Journal
    Want insurance?

    You must sign a waiver of your HIPPA rights. You agree that data given to the insurance company will not be subject to HIPPA regulations.

    Seriously, read the fine print. HIPPA does not exist unless your insurance company was unusually dumb. HIPPA is nothing until the law prohibits waiver of rights.
  • is that it contains no private right of action. In other words, you can't sue your insurance company when they sell your records to a marketing company^W^W^W^W^W^W^W share some of your health information with some of our selected, carefully prescreened partners. Your only recourse is to make a complaint to the same people that routinely accept millions in bribes^W contributions from the people you're complaining about. This is true with so many "protections" passed by this administration while at the sam

  • The main point of HIPAA is not privacy (Score:3, Insightful)

    by Aram Fingal (576822) on Monday June 05 2006, @12:24PM (#15473599)
    Since no one has pointed it out yet, I should mention that HIPAA stands for the Health Information Portability and Accountability Act. It's the portability part that came first. The accountability part only came after privacy advocates objected. The main purpose of HIPAA was to make it easier to share data among care providers. The medical profession is much more spread out among different specialties and facilities than it ever was in the past.

    One of the basic principals of HIPAA is that you can share data with anyone who is directly involved in the care of the patient and anyone who is responsible for billing for that care. I am involved with a clinical laboratory. We take samples from referring physicians, process them and give the results back. Many patients probably don't even realize that they are in our database. It seems to me that this is one of the weaknesses in HIPAA. You ought to have a right to know who has your data.

    The principal of medical privacy is there to prevent anyone from avoiding treatment for fear that their information will get out. This not only applies to people with diseases which might have a social stigma but it also applies to a case like that of a criminal on the run. Such a person should not have to avoid medical treatment for fear of being tracked through medical records. This is tantamount to denying medical care. Doctors should not be part of law enforcement (of course that general principal is not absolute when you consider examples like child abuse). I wonder if the level of access by law enforcement to medical data may already be causing some people to avoid, or delay being tested for conditions.

    HIPAA needs to to have a number of new provisions. You should be able to find out who has medical records on you, you should be able to get copies and have the original records deleted, or more likely anonymized since many laws require bulk reporting of the occurrence of certain diseases.

  • Eureka! (Score:3, Funny)

    by abb3w (696381) on Monday June 05 2006, @01:28PM (#15474125) Journal

    So put this [slashdot.org] and this [slashdot.org] together, and we read the secret headline "Midaeval Piracy Laws", thereby tying HIPAA in with the MPAA and RIAA and the basic Slashdot anti-Copyright agenda! Yes, it's a *AA conspiracy!

    Go on, mod me insightful. It's a slow news week so far.

    • Re:Considering the recent incidents..... (Score:5, Informative)

      by taumeson (240940) * on Monday June 05 2006, @06:54AM (#15471271)
      Having been the HIPAA security officer for the Home Health division of the nation's largest protestant health organization, I can tell you we spent MILLIONS trying to be HIPAA compliant. We locked down servers and databases (encrypted data on secured databases on secured servers on secured networks). We instituted dual-factor authentication and physical security. We stressed our management application to its limits doing our best to ensure patient security and privacy.

      But, again, its the individual workers who matter. Like the time I found out our billers couldn't remember their countless insurance company BBS passwords, so they had a nice spreadsheet they shared. I couldn't get rid of it, but at least I had them put it in their drawers.

      Good grief? Sure, but that was HIPAA compliant.

      So, please, geeks of the world, let's not bash an entire industry based on one article.
      • RE:"but at least I had them put it in their drawers."

        ouch!
        • I know how awful it sounds, but think about it another way:

          1. Everybody in the office was theoretically allowed to get to that patient data.
          2. They NEEDED to share passwords because of how the insurance carriers set up their BBS. They only give one username/password combo out per company, but we had a dozen billers.
          3. We worked in a locked office with security.

          So...the information was supposed to be shared amongst the people in the office, but functionally needed to be stored somewhere because, well, "turn
        • the old aphorism

          getting your panties in a bunch

          Still, the OP is right. HIPAA, as with all government attempts at regulation, is a wierd, complex, inconsistent, illogical construct that underneath all of the legal mumbo jumbo, handwaving and threats, is actually trying to do something useful.

          The really scary aspect of this is that it represents a significant improvement from before. From someone who has been running a small medical office with ancient, creaking paper based systems and an even more ancient

      • Re:Considering the recent incidents..... (Score:4, Informative)

        by electroniceric (468976) on Monday June 05 2006, @08:14AM (#15471657)
        I'm also a HIPAA security officer, but for a tiny startup, so it's only a small fraction of my job. But you hit the nail right on the head here:
        But, again, its the individual workers who matter. Like the time I found out our billers couldn't remember their countless insurance company BBS passwords, so they had a nice spreadsheet they shared. I couldn't get rid of it, but at least I had them put it in their drawers.
        HIPAA marked a big transition in regulation because:
        a) enforcement is complaint-driven, rather than having an inspection apparatus.
        b) It "scales": for many provisions, you can provide an explanation why you should be able to take an alternate (less onerous) measure.
        c) it explicitly focuses on management controls much more than data specifics.

        As a practitioner, I think this was a good approach (note that part c was taken up in earnest by Sarbanes-Oxley). Data privacy is an extraordinarily complicated affair, and one that is still evolving. Frankly, it's not like other industries in charge of personal data (e.g. finance) have done all that well either. And regulation itself takes time to settle down. Neither of these issues were explored at all by this article. I'd say given how much HIPAA differed from other regulation, and how dynamic the situation is, the implementation timeline has also been reasonable.

        Additionally, medicine is an extraordinarily fractured industry. There is no smooth "supply chain" type model for moving patients or data through the system, rather nearly every transaction is negotiated. The parent touched on this, but I'll go a bit further: a large fraction of medical transactions require human intervention to move data, and a huge amount of medical data has yet to be digitized. This is in stark contrast to physical industries like airplanes or retail, all of which have systematized many or most of their transaction chains.

        I'd say the right thing to do is to give the regs more teeth by prosecuting a few of the worst offenses. Basically, make it easy to show how and why disclosures caused damaged. This will put people on notice that the government is serious about the regs. If that doesn't work, the regs themselves can be tightened up, hopefully in the context of broader data privacy legislation.
      • I'm getting revenue from HIPAA compliance efforts and a lot of people at conferences are there to talk about "how we survived HIPAA".

        Here's what's worrisome, though. The most common approach to HIPAA is "what's the least we have to do to stay out of jail?". Unless there's enforcement through some channel, those HIPAA initiatives will turn into forgotten dust-covered binders.

      • I work for another giant healthcare company, and I can tell you that where HIPPA is making a huge difference for us is in firings. We've let go MANY people that we'd wanted to fire for various reasons, but it's hard to fire people -- especially those who manage to be incompetent at everything except know how to fight to keep their job. Previously, even when we had a "zero tolerance for errors" (something you'd want at a hospital no?) we still could not fire people who made repeated mistakes without going

    • What "NSA wiretapping debacle" are you talking about? A debacle is when you are defeated. In the case of US Government spying on millions of its citizens, what happended is just that the news got out. Were they forced by public outcry to stop such activities, you could call it a debacle. But, for what I know (I'm not American, so maybe missed something) they didn't stop. US citizens lost, not the Government.

      When scandals explode, it's too easy to think "Aha, they got caught! Now they HAVE to stop this!", bu

    • The problem is that the health care facility doesn't care either.

      My wife works in a hospital processing insurance. She complies with HIPPA (because privacy of her medical records is important to her), and will report the many violations she sees (technically, she could be fired for not reporting). However, her manager and upper management never do anything but give a verbal warning.

      There have been some pretty major violations too. They just don't care.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.