Forgot your password?
typodupeerror
Privacy

Medical Privacy Laws Highly Ineffectual 133

Posted by Zonk
from the get-effectual dept.
Rick Zeman writes "According to the Washington Post, since Americans gained statutory privacy for their medical records backed by the US Federal Government (via HIPAA), the Bush administration has received thousands of complaints alleging violations but has not imposed a single civil fine and has prosecuted just two criminal cases saying that they were pursuing 'voluntary compliance.'" From the article: "'It's like when you're driving a car,' said consultant Gary Christoph of Teradata Government Systems of Dayton, Ohio. 'If you are speeding down the highway and no one is watching, you're much more likely to speed. The problem with voluntary compliance is, it doesn't seem to be motivating people to comply.'"
This discussion has been archived. No new comments can be posted.

Medical Privacy Laws Highly Ineffectual

Comments Filter:
  • by taumeson (240940) * on Monday June 05, 2006 @07:54AM (#15471271)
    Having been the HIPAA security officer for the Home Health division of the nation's largest protestant health organization, I can tell you we spent MILLIONS trying to be HIPAA compliant. We locked down servers and databases (encrypted data on secured databases on secured servers on secured networks). We instituted dual-factor authentication and physical security. We stressed our management application to its limits doing our best to ensure patient security and privacy.

    But, again, its the individual workers who matter. Like the time I found out our billers couldn't remember their countless insurance company BBS passwords, so they had a nice spreadsheet they shared. I couldn't get rid of it, but at least I had them put it in their drawers.

    Good grief? Sure, but that was HIPAA compliant.

    So, please, geeks of the world, let's not bash an entire industry based on one article.
  • by MichaelSmith (789609) on Monday June 05, 2006 @07:59AM (#15471284) Homepage Journal
    Here in Sweden, we have no such trouble.

    I have to say I am surprised. I am sure we have it here in Australia.

  • It gets even better (Score:4, Informative)

    by plopez (54068) on Monday June 05, 2006 @08:27AM (#15471404) Journal
    Check this out.

    http://www.consumerist.com/consumer/irs/breaking-i rs-archive-control-sold-to-lowest-bidder-177771.ph p [consumerist.com]

    Talk about your privacy in jeapordy. How long before these records end up on an insecure server, or off shored to where people don't give a crap and sell the information. Identity theft anyone? How is keeping records secure *not* a core function?

    Every day I wake up amazed at the sheer stupitiy around me.
  • by LnxAddct (679316) <sgk25@drexel.edu> on Monday June 05, 2006 @08:45AM (#15471499)
    I wouldn't modify the title at all. Slashdot is a U.S.-centric site, and most of its readers are American. [slashdot.org] Having people from all around the world read it is great, but Slashdot caters to an American audience. If something doesn't state it, assume it is talking about America.
    Regards,
    Steve
  • by jdoc (216868) on Monday June 05, 2006 @08:55AM (#15471559)
    Let me give you a doctors perspective: HIPPA was created and implemented to, among other things, control the outrageous number of frivolous lawsuits arising from "breeches of privacy". Yes, it helps with privacy issues in medicine, and is needed for said reason. The lawsuits became a real burden in the 90's, just when medical malpractice lawsuits skyrocketed, as did insurance premiums. The Clinton's just sat back and watched, which doesn't surprise me- they've always been anti-doctor (I still remember that famous tour of American hospitals that Hillary went on in the early 90's, in order to see what needed to be done to improve our medical system. Her conclusion? "Doctors make too much money". She opened the floodgates to HMO's, and brought us dangerously close to socialized medicine. Our situation has somewhat stabilized now that Bush has at least spoken up for doctors, but the lawyers and insurance companies, in the meantime, have cleaned house and set a dubious precedent for lawsuits and reimbursements in medicine). HIPPA curbed the rate of lawsuits which were based on the privacy issues, but put restrictions on ALL communications between health care providers and the general population. The rules set forth by HIPPA are confusing at best, so the general attitude is, "don't tell anybody anything about anyone". It's better to deal with a disgruntled patients relative or power of attorney then it is to deal with government fines and expensive lawsuits. It doesn't surprise me that nurses aren't more forthcoming with medical information. Also, someone mentioned the Bush administration's cavalier attitude towards privacy issues. This really has nothing to do with the Bush administration. At least his administration laid down the framework for a privacy laws, which HELPED medicine, which is more than I can say for the Clintons. As far as enforcement is concerned- hospitals will handle issues locally at first. The government won't get involved until a lawsuit is filed, and then it'll come in the form of penalties to the hospital. I dread the day that Hillary gets into office, as do many other health care providers.
  • by Bored George (979482) on Monday June 05, 2006 @08:58AM (#15471572) Homepage
    RTFA! This is not about "laws", it's about one law: HIPAA. And it's not that the law is "ineffectual", it's that enforcement of the law is virtually nonexistent.
  • by electroniceric (468976) on Monday June 05, 2006 @09:14AM (#15471657)
    I'm also a HIPAA security officer, but for a tiny startup, so it's only a small fraction of my job. But you hit the nail right on the head here:
    But, again, its the individual workers who matter. Like the time I found out our billers couldn't remember their countless insurance company BBS passwords, so they had a nice spreadsheet they shared. I couldn't get rid of it, but at least I had them put it in their drawers.
    HIPAA marked a big transition in regulation because:
    a) enforcement is complaint-driven, rather than having an inspection apparatus.
    b) It "scales": for many provisions, you can provide an explanation why you should be able to take an alternate (less onerous) measure.
    c) it explicitly focuses on management controls much more than data specifics.

    As a practitioner, I think this was a good approach (note that part c was taken up in earnest by Sarbanes-Oxley). Data privacy is an extraordinarily complicated affair, and one that is still evolving. Frankly, it's not like other industries in charge of personal data (e.g. finance) have done all that well either. And regulation itself takes time to settle down. Neither of these issues were explored at all by this article. I'd say given how much HIPAA differed from other regulation, and how dynamic the situation is, the implementation timeline has also been reasonable.

    Additionally, medicine is an extraordinarily fractured industry. There is no smooth "supply chain" type model for moving patients or data through the system, rather nearly every transaction is negotiated. The parent touched on this, but I'll go a bit further: a large fraction of medical transactions require human intervention to move data, and a huge amount of medical data has yet to be digitized. This is in stark contrast to physical industries like airplanes or retail, all of which have systematized many or most of their transaction chains.

    I'd say the right thing to do is to give the regs more teeth by prosecuting a few of the worst offenses. Basically, make it easy to show how and why disclosures caused damaged. This will put people on notice that the government is serious about the regs. If that doesn't work, the regs themselves can be tightened up, hopefully in the context of broader data privacy legislation.
  • by hagbard5235 (152810) on Monday June 05, 2006 @09:24AM (#15471713)
    While it's distressing that HIPAA is essentially seeing no enforcement, I find it more distressing that while it hinders movement of my medical information among my providers (requiring forms be signed by me, etc) it explicitely allows any law enforcement agent to waltz in without a warrant and assert without evidence that I am a suspect or victim in a crime and thus obtain my medical records.

    Everytime I hear someone throwing a fit about being able to obtain a warrant to get my library records I think of this. Funny how no one notices MASSIVE give aways of your privacy rights under democratic administrations. Oh, and look up 'know your customer' sometime too :)
  • by sweetnjguy29 (880256) on Monday June 05, 2006 @10:00AM (#15471943) Journal
    This is a classic case of why consumers should have a private right of action to sue in court under the civil law. HIPAA does not allow individuals to sue a hospital or doctor for violations of the statute. (However, a stricter State statute or privacy or contract law might allow a suit)

    There is a growing trend in U.S. Federal Law that grants people rights, but does not allow them a remedy if there is a violation of these rights. This is a direct outgrowth of 20 years of conservative Supreme Court rulings that have gutted the power of the Judiciary to provide remedies for violations of the law.

    The thought process is "well, Congress said you have a right to have your information kept private, but didn't explicitly say that anyone besides the State can enforce this remedy, so oh well, your screwed if the government doesn't want to do anything."

    This thought process is not only unjust, but goes against 500+ years of legal of Common Law. Where you have a right, you should always have a remedy. It is an axiom, and 20+ years of Republican Judicial Activists have destroyed this notion. It is not right, and it is not fair. And it is not conservative. It is radical and undemocratic, and goes against the rule of law.

    See: http://www.privacyrights.org/fs/fs8a-hipaa.htm [privacyrights.org] and http://www.healthlawtoday.com/hipaa/files/righttos ue.htm [healthlawtoday.com] and http://www.abanet.org/buslaw/blt/2001-11-12/meade. html [abanet.org]
  • by Wilf_Brim (919371) on Monday June 05, 2006 @10:37AM (#15472178)
    As a practitioner, let me say that HIPAA is being fairly actively enforced. There are some fairly bone headed breaches from time to time, but there are bone headed privacy breaches in every industry. I can tell you that there have been incredible unintended consequences. First, millions to billions have been spent (and are continuing to be spent) on HIPAA compliance. For the most part, this is money spent nominally on health care that is completely administrative in nature. Ever wonder where all of that 13% of the GDP spent on health care goes? A bunch of it is being spent on HIPAA compliance offices, with 4-6 FTEs being spent training, and doing paperwork. Not a terribly cost effective way of improving health care. Second, everyone now is safety wired into the "don't tell anybody anything" position. If your spouse is in the hospital, and you do not have a designated HIPAA compliant health care proxy, you (by HIPAA rules) don't get to know anything, other than where she/he is. No diagnosis, no prognosis, not what happened, nothing. If he/she didn't or wasn't able to make the designation in writing on admission (i.e. was run over by bus) you will need to jump a bunch of legal hurdles to get the information released. As a medical consultant, it is very hard for me to get information from people trying to refer patients to me. Too often I get the "I can't tell you that; HIPAA" line. Although, to be honest, this is a misinterpretation of the law, but many institutions have taken the view that "unless I have a piece of paper which explicitly states I can release information to you, I'm not telling you crap".
  • Warranties (Score:3, Informative)

    by Aram Fingal (576822) on Monday June 05, 2006 @10:44AM (#15472228)
    I think the thing with HIPAA is that it takes time for it to improve security and privacy. Basically, you can handle it however you want as long as you justify your decisions in writing as being "reasonable." Reasonable security might mean that it would cost so much to do things more securely that it would adversely affect service. There are so many small niche markets for medical information software that your reason for poor security may simply be that you only have two or three vendors who serve your specialty and they all have poor security. Many of these applications were created before security was taken as seriously as it is now and many were designed for isolated LANs but are now being connected to the internet. I hope that the bar will be raised by those people who go the extra mile. Then the standard for "reasonable" will eventually become something which really protects privacy.

    This goes to the topic of software warranties. Most medical informatics software come with something like a "statement of HIPAA compliance." which basically says that the vendor has designed the software in a way that it can satisfy HIPAA if you do your part to make it secure. This is fine in itself. The problem is that these applications don't run in isolation. You need an operating system to run them on and they quite often only run on the operating system with one of the worst security track records in the business. They may also depend on other application software. For example, one which I work with uses Microsoft Word and Word Macros to handle reports from the database. It was designed that way in order to allow the integration of third party options like speech-to-text from a variety of vendors. The thing is that Windows and Word don't come with any statement of HIPAA compliance. They follow the common practice in the software industry of disclaiming all warranty including against negligence.

     
  • by r00t (33219) on Monday June 05, 2006 @11:25AM (#15472550) Journal
    Want insurance?

    You must sign a waiver of your HIPPA rights. You agree that data given to the insurance company will not be subject to HIPPA regulations.

    Seriously, read the fine print. HIPPA does not exist unless your insurance company was unusually dumb. HIPPA is nothing until the law prohibits waiver of rights.
  • by Anonymous Coward on Monday June 05, 2006 @12:08PM (#15473003)
    In Australia, practioners do not receive or ask your health insurance about how much cover you have. They give you the bill and it is up to you to organise paying it (between you and the health insurance company.)

    In America, every medical facility that you want to claim through your health insurance appears able to access basic health insurance information such as how much you have spent "this year". What a joke.

    Roll over citizen John, ACME Inc wants to make a buck and you're not allowed to have any privacy.
  • by budgenator (254554) on Monday June 05, 2006 @01:37PM (#15473709) Journal
    It's hard to figure out what's a violation and what isn't; in a 12 mile radius of me there are 7 people with the same first and last name as me, 3 of those people have the same middle initial. Obviously the release of my name wouldn't really be personally identifying, however if my name was qvidis.... it would.

    This HIPPA stuff is affecting patient care right now. 3 weeks ago I burnt my hand at work, so the boss drives me to the Port Huron Hospital ER (newly remodeled for increased HIPPA compliance); there is no triage any more because that's HIPPA sensative data. My pain on their scale of 1 to 10 is about 18, I've got about a square inch of skin just flapping in the breeze, my knees are starting to buckle and the info clerk is explaining to another person how to get to the third floor! Eventually I get to be seen in the ER proper, they start an IV push some morphine into it which takes my pain from 18 to 9, cover my burn with gauze and sterile saline and ask me when I had my last tetanus shot. My personal doctor's office has all of the admin stuff done by Mercy hospital, the records are supposed to be available 24-7, so I get a tetanus booster I don't need in the other arm and they call an ambulance to transfer me to the burn center at Detroit Receiving Hospital. I get to DRH's ER give them all of my data which is inputed into their New computer system, get taken up to the burn center only to not be in the computer system, and have the burns deroofed and debrided ( the definition of pain is yet again expanded for me) and sent down to a bed on a med-surg unit. I remember looking at the clock after I burned my hand and it was 6:05 PM thurs., it's now 3:45 am on friday and I'm not in the new computer system, I guess they can't release personal data that can't be found!
  • by taumeson (240940) * on Monday June 05, 2006 @01:40PM (#15473729)
    Names aren't Protected Health Information. You can call them out any time and not get in trouble.
  • by peacefinder (469349) * <alan.dewitt@ g m a i l . com> on Monday June 05, 2006 @02:36PM (#15474186) Journal
    Speaking as someone who keeps a copy of the HIPAA regs ready to hand, I can say that what you describe is not a problem with HIPAA. Instead, it's a problem with that provider's stupid implementation. There is no "HIPAA security code" in the law.

    If you're involved in the patient's care, they are allowed to release information to you. They do have to have "reasonable belief", when releasing information, to verify that you are who you say you are and that you are actually involved in the patient's care. But the mechanism by which they confirm your identity doesn't have to be especially difficult. Asking you to provide the patient's full name, date of birth, and maybe one piece of other information should be more than sufficient.
  • by peacefinder (469349) * <alan.dewitt@ g m a i l . com> on Monday June 05, 2006 @03:03PM (#15474398) Journal
    "Every visit to a MD office now requires that you fill out and sign the form that swears they promised under HPPA not to divulge anything"

    Then your provider needs to get a clue.

    You only need to sign one HIPAA "Notice of Privacy Practices", once, for each provider. If they give you a second one, it's because their NPP was revised, or they've lost track of the fact you've already got one.

    The NPP shouldn't ever ask you for anything or limit any of your rights if you sign it. It exists to inform you of the clinic's policies, and that's all. You sign only to acknowledge that you got a copy. You don't even have to sign an NPP; you can refuse it.

    If they give you anything at each visit and tell you that you must sign it due to HIPAA, you'd better read it very carefully and they had better have a very specific reason for asking you to sign. It sounds to me like they're either being inept ot sneaky.

Philogyny recapitulates erogeny; erogeny recapitulates philogyny.

Working...