Medical Privacy Laws Highly Ineffectual 133
Rick Zeman writes "According to the Washington Post, since Americans gained statutory privacy for their medical records backed by the US Federal Government (via HIPAA), the Bush administration has received thousands of complaints alleging violations but has not imposed a single civil fine and has prosecuted just two criminal cases saying that they were pursuing 'voluntary compliance.'" From the article: "'It's like when you're driving a car,' said consultant Gary Christoph of Teradata Government Systems of Dayton, Ohio. 'If you are speeding down the highway and no one is watching, you're much more likely to speed. The problem with voluntary compliance is, it doesn't seem to be motivating people to comply.'"
Considering the recent incidents..... (Score:1, Insightful)
Re:Considering the recent incidents..... (Score:5, Informative)
But, again, its the individual workers who matter. Like the time I found out our billers couldn't remember their countless insurance company BBS passwords, so they had a nice spreadsheet they shared. I couldn't get rid of it, but at least I had them put it in their drawers.
Good grief? Sure, but that was HIPAA compliant.
So, please, geeks of the world, let's not bash an entire industry based on one article.
Re:Considering the recent incidents..... (Score:2, Funny)
ouch!
Re:Considering the recent incidents..... (Score:3, Interesting)
1. Everybody in the office was theoretically allowed to get to that patient data.
2. They NEEDED to share passwords because of how the insurance carriers set up their BBS. They only give one username/password combo out per company, but we had a dozen billers.
3. We worked in a locked office with security.
So...the information was supposed to be shared amongst the people in the office, but functionally needed to be stored somewhere because, well, "turn
This puts a new twist on (Score:2)
getting your panties in a bunch
Still, the OP is right. HIPAA, as with all government attempts at regulation, is a wierd, complex, inconsistent, illogical construct that underneath all of the legal mumbo jumbo, handwaving and threats, is actually trying to do something useful.
The really scary aspect of this is that it represents a significant improvement from before. From someone who has been running a small medical office with ancient, creaking paper based systems and an even more ancient
Re:Considering the recent incidents..... (Score:4, Informative)
HIPAA marked a big transition in regulation because:
a) enforcement is complaint-driven, rather than having an inspection apparatus.
b) It "scales": for many provisions, you can provide an explanation why you should be able to take an alternate (less onerous) measure.
c) it explicitly focuses on management controls much more than data specifics.
As a practitioner, I think this was a good approach (note that part c was taken up in earnest by Sarbanes-Oxley). Data privacy is an extraordinarily complicated affair, and one that is still evolving. Frankly, it's not like other industries in charge of personal data (e.g. finance) have done all that well either. And regulation itself takes time to settle down. Neither of these issues were explored at all by this article. I'd say given how much HIPAA differed from other regulation, and how dynamic the situation is, the implementation timeline has also been reasonable.
Additionally, medicine is an extraordinarily fractured industry. There is no smooth "supply chain" type model for moving patients or data through the system, rather nearly every transaction is negotiated. The parent touched on this, but I'll go a bit further: a large fraction of medical transactions require human intervention to move data, and a huge amount of medical data has yet to be digitized. This is in stark contrast to physical industries like airplanes or retail, all of which have systematized many or most of their transaction chains.
I'd say the right thing to do is to give the regs more teeth by prosecuting a few of the worst offenses. Basically, make it easy to show how and why disclosures caused damaged. This will put people on notice that the government is serious about the regs. If that doesn't work, the regs themselves can be tightened up, hopefully in the context of broader data privacy legislation.
Re:Considering the recent incidents..... (Score:1)
Re:Considering the recent incidents..... (Score:1)
I heartily concur. As a software developer for a hospital, we go out of the way to make sure things as secure as we can make them. We also scrutinize our designs from the perspective of HIPAA compliance. For example, we recently instituted a method that doctors could get a weekly email of their charts that they need to sign, dictate, etc. We cannot get paid until the doctors do this step. Unfortunately, we can't send individual patient info over email, even if it's on a server in our control-- therefor
There is plenty of motion (Score:2)
Here's what's worrisome, though. The most common approach to HIPAA is "what's the least we have to do to stay out of jail?". Unless there's enforcement through some channel, those HIPAA initiatives will turn into forgotten dust-covered binders.
Re:Considering the recent incidents..... (Score:3, Interesting)
I work for another giant healthcare company, and I can tell you that where HIPPA is making a huge difference for us is in firings. We've let go MANY people that we'd wanted to fire for various reasons, but it's hard to fire people -- especially those who manage to be incompetent at everything except know how to fight to keep their job. Previously, even when we had a "zero tolerance for errors" (something you'd want at a hospital no?) we still could not fire people who made repeated mistakes without going
HIPAA: A wonderful tool to get rid of people... (Score:2)
The violation: A member of our church brought his kid to her hospital. The parent asked her to let others in the church know that they had come to the hospital, and to pray for them. Someone at the hospital found out, and she got suspended.
Due to personal and family medical problems, her employer had chastised her in the past for missed days of work. This seems to those of us who know her like a
There's no excuse any more (Score:2)
You can lock down your servers, your network, etc. But as you imply, insiders are the big threat.
To avoid insider abuse at hospitals, doctors' offices, etc., you need to let insiders you're watching everything they do. This isn't "big brother", it's common sense. You can't necessarily lock everyone out of everything, but if they know you're looking they'll more likely play by the rules.
An article about the Michigan health system [healthdatamanagement.com] (they use the P2 Sentinel [cerner.com] product from Cerner [cerner.com] and SenSage [sensage.com]) was informati
Re:Considering the recent incidents..... (Score:2, Insightful)
When scandals explode, it's too easy to think "Aha, they got caught! Now they HAVE to stop this!", bu
Re:Considering the recent incidents..... (Score:3, Interesting)
My wife works in a hospital processing insurance. She complies with HIPPA (because privacy of her medical records is important to her), and will report the many violations she sees (technically, she could be fired for not reporting). However, her manager and upper management never do anything but give a verbal warning.
There have been some pretty major violations too. They just don't care.
I'd modify this story's title this way: (Score:3, Insightful)
Medical Privacy Laws [in the USA] Highly Ineffectual
Slashdotters all over the world are smart enough to know that the problem with those medical records is largely a local problem. That is to say, it is a US problem and not a problem for the whole world. Here in Sweden, we have no such trouble.
Re:I'd modify this story's title this way: (Score:4, Informative)
I have to say I am surprised. I am sure we have it here in Australia.
Re:I'd modify this story's title this way: (Score:3, Interesting)
Re:I'd modify this story's title this way: (Score:2, Informative)
Regards,
Steve
Re:I'd modify this story's title this way: (Score:1)
Um... so? You might be able to make an argument that Slashdot should change to cater to new, potential readers, but if people are already coming here while Slashdot is still US centric, why bother?
"Slashdotters all over the world are smart enough to know that the problem with those medical records is largely a local problem."
But they're just not smart enough to know that the default location for news is the US?
"Here in Sweden,"
Should Slashdot t
Re:I'd modify this story's title this way: (Score:2)
Insularism is the least problem Slashdot has in that regard. When Taco can write:
Re:I'd modify this story's title this way: (Score:1)
Re:I'd modify this story's title this way: (Score:2)
"I think we're dangerously close to having a law that is essentially meaningless."
Certainly is for me.
Re:I'd modify this story's title this way: (Score:2)
But in this case... (Score:2)
Comment removed (Score:4, Interesting)
Re:Do you really want them to act on every complai (Score:1, Insightful)
Re:Do you really want them to act on every complai (Score:1)
And in one of those cases, the crime involved selling an FBI agent's medical records. Wonder why the Justice Department (in which the FBI is housed) chose to prosecute that case?
Re:Do you really want them to act on every complai (Score:3, Interesting)
Re:Do you really want them to act on every complai (Score:3, Informative)
This HIPPA stuff is affecting patient care right now. 3 weeks ago I burnt my hand at work, so the boss drives me to the Port Huron Hospital ER (newly remodeled for increased HIPPA compliance); there i
There are numbers between 0 and 19.420 (Score:2)
They do have a reason for the policy of issuing warnings and explaining how to do things. The rules are new, people aren't used to them, some about of adjustment time might be reasonable. But the policy isn't producing compliance. The fantastic article says "The approach has made health-care organizations complacent about protecting records, several health-care consultants said". Or this quote:
"They a
Re:There are numbers between 0 and 19.420 (Score:2)
No one is happy with the end result, although they are adapting.
Re:Do you really want them to act on every complai (Score:1)
> and your medical condition, everywhere else it
> your name should be coded as number that other
> office workers cannot lookup.
Because the medical assistant doesn't review labs, and the records clerk doesn't file documents in your chart, and the billing clerk doesn't handle your call about the diagnosis codes on your latest EOB...do you have any sense how health care is actually delivered, even in efficient, high-quality places that are fully HIPAA
Re:Do you really want them to act on every complai (Score:2)
Yeah? When does that kick in? My wife's a surgeon, but I'm stuck driving a used Oldsmobile and lately riding a bike to work. We're not poor but neither do we live up to the "rich doctor" bullshit myth that you're buying into.
In reality, doctors spend the first 12 ye
It gets even better (Score:4, Informative)
http://www.consumerist.com/consumer/irs/breaking-
Talk about your privacy in jeapordy. How long before these records end up on an insecure server, or off shored to where people don't give a crap and sell the information. Identity theft anyone? How is keeping records secure *not* a core function?
Every day I wake up amazed at the sheer stupitiy around me.
Why HIPPA is broken (Score:4, Interesting)
Re:Why HIPPA is broken (Score:2, Informative)
Re:Why HIPPA is broken (Score:2, Insightful)
Re:Why HIPPA is broken (Score:1)
Re:Why HIPPA is broken (Score:4, Insightful)
Re:Why HIPPA is broken (Score:2)
Fortunately HIPAA explicitly requires (black and white) that there be an emergency override procedure in place.
Re:Why HIPPA is broken (Score:2, Flamebait)
Wow, you got a cert and you can't even spell HIPAA? And people here talk about MCSE's!
Re:Why HIPPA is broken (Score:3, Interesting)
2. There are more lawsuits for "breeches of privacy" than from before HIPAA....I suppose the argument can be made that they're not "frivolous", but I just wanted to point this out.
3. Some Doctors do make too much money. I know of doctors worth over 100 MILLION. I can't see a big difference between what they did (the one I'm thinking about died a few years ago) and what my GP does. And when it takes a 2 MILLION dollar starting
Re:Why HIPPA is broken (Score:2)
Uh, and socialized medicine is SOOOOO bad for the rest of the world. Oh, wait, it seems to be working fine in Canada and Europe...
It's better to deal with a disgruntled patients relative or power of attorney
If the person calling has the power of attorney and was contacted in the first place due to that, then no it isn't. It's better to give the information required, as you are required to do since the person you're talking to is the one who has the leg
More than you know: you *are* a number (Score:4, Insightful)
Never mind that we live in a small town where Mrs. Smith and Mr. Jones went to kindergarten together and come from families that have been here for 150 years. And forget that my wife is a podiatrist and that visiting her isn't inherently compromising (unlike, say, sitting in the lobby of a clinic for sexually transmitted diseases).
So, according to HIPAA, my wife is breaking the law each and every time she treats her patients like people instead of numbers. We haven't had a complaint yet and don't expect to, but could technically be busted for violating Mrs. Jones's privacy at any moment.
Re:More than you know: you *are* a number (Score:2)
Re:More than you know: you *are* a number (Score:2)
Because her patients expect to be treated like humans and humans don't like being called by number. In her practice, patients tend to be retirement age or older (except for the occasional younger person with a broken toe, etc.). That population would not react well to being numerically processed.
She's much better off business-wise to upset the one person who's not use
Re:More than you know: you *are* a number (Score:3, Informative)
Re:More than you know: you *are* a number (Score:2)
Here's the official list:
The following identifiers of the individual or of relatives, employers, or household members of the individual must be removed to achieve the "safe harbor" method of de-identification:
(A) Names;
(B) All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geo
Re:More than you know: you *are* a number (Score:2)
It's daft. I hate to say it, but your compliance auditor has something to gain by making things seem more difficult than they really are.
Remember that HIP
Re:More than you know: you *are* a number (Score:2)
Like being alive. That requires yearly checkups, you know. Or are we not allowed to know that the person next to us is alive, rather than dead?
I am not calling you an idiot, but your comment is idiotic.
Re:More than you know: you *are* a number (Score:2)
I think you missed the implied <sarcasm /> tag. I think it's idiotic too, but that was the advice we were given. I'm just relaying the message.
Re:Why HIPPA is broken (Score:3, Informative)
If you're involved in the patient's care, they are allowed to release information to you. They do have to have "reasonable belief", when releasing information, to verify that you are who you say you are and that you are actually involved in the patient's care. But t
Re:Why HIPPA is broken (Score:2)
Re:Why HIPPA is broken (Score:2)
They can't even do that right.
IRS Says Offshore Tax Evasion Is Widespread - Global Policy Forum - Nations and States [globalpolicy.org]
Laws Not Enforced, my story (Score:5, Interesting)
I asked them to explain this, and got no response. I sent the sheet of paper to the US Department of Health & Human Services. A few months later I got a letter back in the mail from them, stating that they had investigated the situation, the provider (Humana) admitted making a mistake which resulted in a privacy violation, and they weren't going to do a damn thing about it.
So, I'm hardly surprised by this article. Still it's sad to see I was in the 73 percent of cases.
Re:Laws Not Enforced, my story (Score:2)
At an annual auction fundraiser for a local hospital, I had the pleasure of giving a group of these people a 3-hour training to learn how to fill out a simple GUI with just 3 pieces of information: the item number, the price, and the name of the winner bidder. So it didn't surprise me when some study showed that up to 40% of current medical costs could be shaved off if all hospi
Re:Laws Not Enforced, my story (Score:1)
Re:Laws Not Enforced, my story (Score:2)
Software and Policies are at fault (Score:4, Interesting)
One of the areas that does continually suprise me is that medical records are stored, transmitted and displayed all in clear text. Some of the major manufacturers of the healthcare software often use FTP (not Sftp) to exchange records with their customers. Even internally with in a hospital, records are transmitted from one system to another in clear text.
If you want security, ask your care give how they are protecting your electronic records.
Re:Software and Policies are at fault (Score:2)
HIPAA calls for encryption.
It's an "addressable" requirement, which means you can skip it if you
- document why you don't need to or can't do it
- develop your own security measure which is just as good
- collect and store evidence that your security measure is just as good
In practice my clients are treating encryption as a requirement.
Re:Software and Policies are at fault (Score:2)
Similarly, we do not require encrypted storage of data for mac
Re:Software and Policies are at fault (Score:2)
Re:Software and Policies are at fault (Score:2)
Re:Software and Policies are at fault (Score:2)
Re:Software and Policies are at fault (Score:2)
Actually, no. There is no generic HIPAA waiver. For the most part, HIPAA doesn't require the patient to sign anything, except to authorize specific disclosures in unusual circumstances.
I think what you're talking about is a clinic's Notice of Privacy Practices, which each provider or clinic is required to present to you at least once. By signing it, you simply acknowledge that you have received such notice, not that you agree with the clinic's
Lazy /. Editors Create False Headlines (Score:3, Informative)
Re:Lazy /. Editors Create False Headlines (Score:1)
In any case, a law that is not properly enforced IS ineffectual.
Re:Lazy /. Editors Create False Headlines (Score:1)
That said, and as someone who works in healthcare IT, I can substaintiate a post further up that stated that this law cost many health care deliverers millions upon millions of dollars to imple
Re:Lazy /. Editors Create False Headlines (Score:2)
Gas stations don't collect information like whether you've had an abortion.
Re:Lazy /. Editors Create False Headlines (Score:2)
So if you want to be able to enforce HIPAA, all you need is an IRS-like agency with IRS-like powers and IRS-like reputation - I guarantee you'll get your compliance.
--Jon
Driving a Car? (Score:1)
Re:Driving a Car? (Score:2)
Practical nonsense.. (Score:4, Funny)
As he observed, "What do they think I'm going to do - run out into the parking lot and yell to passers-by 'You'll never guess what Pellino's got...!'"
And as I observed - you get three or more seniors in the waiting room, and no matter how the small talk starts, it always becomes a grand exposition of their ailments. "Huh! You don't know from gallstones! I should be so lucky to just have your gout!" and on and on and on...
Re:Practical nonsense.. (Score:3, Informative)
Then your provider needs to get a clue.
You only need to sign one HIPAA "Notice of Privacy Practices", once, for each provider. If they give you a second one, it's because their NPP was revised, or they've lost track of the fact you've already got one.
The NPP shouldn't ever ask you for anything or limit any of your rights if you sign it. It exists to inform you of the clin
HIPAA Protect you from everyone but the government (Score:3, Informative)
Everytime I hear someone throwing a fit about being able to obtain a warrant to get my library records I think of this. Funny how no one notices MASSIVE give aways of your privacy rights under democratic administrations. Oh, and look up 'know your customer' sometime too
Re:HIPAA Protect you from everyone but the governm (Score:1)
Compliance is Audited (Score:3, Insightful)
My late father had to have an outside auditor survey his office in order to remain on the list of authorized providers at several major insurance companies.
The regulations are ambiguous as can be, so violations are going to happen until the appropriate practices are worked out.
HIPPA != HIPAA (Score:2, Funny)
HIPPA = Hippopotamus. With an A.
STOP SPELLING IT "HIPPA"!
But... but... (Score:2)
I've long suspected that Wal-Mart does this. (Score:1)
Why private rights of action matter (Score:5, Informative)
There is a growing trend in U.S. Federal Law that grants people rights, but does not allow them a remedy if there is a violation of these rights. This is a direct outgrowth of 20 years of conservative Supreme Court rulings that have gutted the power of the Judiciary to provide remedies for violations of the law.
The thought process is "well, Congress said you have a right to have your information kept private, but didn't explicitly say that anyone besides the State can enforce this remedy, so oh well, your screwed if the government doesn't want to do anything."
This thought process is not only unjust, but goes against 500+ years of legal of Common Law. Where you have a right, you should always have a remedy. It is an axiom, and 20+ years of Republican Judicial Activists have destroyed this notion. It is not right, and it is not fair. And it is not conservative. It is radical and undemocratic, and goes against the rule of law.
See: http://www.privacyrights.org/fs/fs8a-hipaa.htm [privacyrights.org] and http://www.healthlawtoday.com/hipaa/files/rightto
Re:Why private rights of action matter (Score:2)
Lawyers are good at finding workarounds.
Don't know how the case turned out, but someone filed a negligence suit (not a HIPAA suit, you're right that those can't be done) on the grounds that the legal "duty of care" now includes following HIPAA.
Re:Why private rights of action matter (Score:2)
Re:Why private rights of action matter (Score:2)
Actually, it's an import from the law of the former Soviet Union, which had many unenforceable rights in the Soviet constitution.
HIPAA's unintended consequences (Score:4, Informative)
Re:HIPAA's unintended consequences (Score:2, Insightful)
Warranties (Score:3, Informative)
This goes to the topic of software warranties. Most medical informatics software come with something like a "statement of HIPAA compliance." which basically says that the vendor has designed the software in a way that it can satisfy HIPAA if you do your part to make it secure. This is fine in itself. The problem is that these applications don't run in isolation. You need an operating system to run them on and they quite often only run on the operating system with one of the worst security track records in the business. They may also depend on other application software. For example, one which I work with uses Microsoft Word and Word Macros to handle reports from the database. It was designed that way in order to allow the integration of third party options like speech-to-text from a variety of vendors. The thing is that Windows and Word don't come with any statement of HIPAA compliance. They follow the common practice in the software industry of disclaiming all warranty including against negligence.
Medieval privacy (Score:1, Offtopic)
They bypass it legally. (Score:3, Informative)
You must sign a waiver of your HIPPA rights. You agree that data given to the insurance company will not be subject to HIPPA regulations.
Seriously, read the fine print. HIPPA does not exist unless your insurance company was unusually dumb. HIPPA is nothing until the law prohibits waiver of rights.
No problem in Australia either (Score:1, Informative)
In America, every medical facility that you want to claim through your health insurance appears able to access basic health insurance information such as how much you have spent "this year". What a joke.
Roll over citizen John, ACME Inc wants to make a buck and you're not allowed to have any priva
Re:No problem in Australia either (Score:2)
The trouble with HIPAA (Score:2)
The main point of HIPAA is not privacy (Score:3, Insightful)
One of the basic principals of HIPAA is that you can share data with anyone who is directly involved in the care of the patient and anyone who is responsible for billing for that care. I am involved with a clinical laboratory. We take samples from referring physicians, process them and give the results back. Many patients probably don't even realize that they are in our database. It seems to me that this is one of the weaknesses in HIPAA. You ought to have a right to know who has your data.
The principal of medical privacy is there to prevent anyone from avoiding treatment for fear that their information will get out. This not only applies to people with diseases which might have a social stigma but it also applies to a case like that of a criminal on the run. Such a person should not have to avoid medical treatment for fear of being tracked through medical records. This is tantamount to denying medical care. Doctors should not be part of law enforcement (of course that general principal is not absolute when you consider examples like child abuse). I wonder if the level of access by law enforcement to medical data may already be causing some people to avoid, or delay being tested for conditions.
HIPAA needs to to have a number of new provisions. You should be able to find out who has medical records on you, you should be able to get copies and have the original records deleted, or more likely anonymized since many laws require bulk reporting of the occurrence of certain diseases.
Its extremely effective... (Score:2)
I could paper my walls with the number of stupid disclosure notices I've had to sign. One for each member of the family at each healthcare provider including eye doctories, pharmacists, alergists, etc., and another one for each school, camp, afterschool program, and employement situation.
All this, which in my case is well over 100 by this point, and they are useless?
GRRRRRRRR.
It makes me as angry as when I fill out forms for schools and camps for the kids and they have 4 or
Eureka! (Score:3, Funny)
So put this [slashdot.org] and this [slashdot.org] together, and we read the secret headline "Midaeval Piracy Laws", thereby tying HIPAA in with the MPAA and RIAA and the basic Slashdot anti-Copyright agenda! Yes, it's a *AA conspiracy!
Go on, mod me insightful. It's a slow news week so far.
This is part of the Plan (Score:2)
Although HIPAA was set in motion back in 1996, the Privacy rule only came into mandatory effect in October of 2002, and the Security rule not until April of 2005. We might be nearing the hard-enforcement da
My company moved from Blue Cross to "Self-Insured" (Score:2, Insightful)
What this means, besides the loss of virtually all state-mandated consumer protection in the area of medical reimbursement (because ERISA supercedes all that), is that now, instead of a 3rd party insurer getting my medical billing i
privacy of medical records and an amendment (Score:2)
Just goes to show the Bush admin has plenty of tyme to push for an amendment to the constitution to deny some the ability to marry whom they want in a consentual manner but won't take the tyme to enforce a law already on the books. Seems like businesses can't to any wrong but individuals can't be allowed to do what they want when they aren't harming another.
FalconRe:privacy of medical records and an amendment (Score:2)
Re:privacy of medical records and an amendment (Score:2)
Hardly a unique property of the Bush administration.
You're right it's not unique. But the democrats are somewhat the opposite. They allow people to do more in private, but not drug use, than republicans but they are harder on businesses. Neither of them practice or preach what the nation was founded on though, liberty and small government.
Falcon