Follow Slashdot stories on Twitter


Forgot your password?

Medical Privacy Laws Highly Ineffectual 133

Rick Zeman writes "According to the Washington Post, since Americans gained statutory privacy for their medical records backed by the US Federal Government (via HIPAA), the Bush administration has received thousands of complaints alleging violations but has not imposed a single civil fine and has prosecuted just two criminal cases saying that they were pursuing 'voluntary compliance.'" From the article: "'It's like when you're driving a car,' said consultant Gary Christoph of Teradata Government Systems of Dayton, Ohio. 'If you are speeding down the highway and no one is watching, you're much more likely to speed. The problem with voluntary compliance is, it doesn't seem to be motivating people to comply.'"
This discussion has been archived. No new comments can be posted.

Medical Privacy Laws Highly Ineffectual

Comments Filter:
  • by Anonymous Coward
    Considering the various privacy issues that have plagued this administration, most recently in the form of the whole NSA wiretapping debacle, what would make anyone think they'd give a damn about the privacy of anyone but themselves?

    • by taumeson ( 240940 ) * on Monday June 05, 2006 @07:54AM (#15471271)
      Having been the HIPAA security officer for the Home Health division of the nation's largest protestant health organization, I can tell you we spent MILLIONS trying to be HIPAA compliant. We locked down servers and databases (encrypted data on secured databases on secured servers on secured networks). We instituted dual-factor authentication and physical security. We stressed our management application to its limits doing our best to ensure patient security and privacy.

      But, again, its the individual workers who matter. Like the time I found out our billers couldn't remember their countless insurance company BBS passwords, so they had a nice spreadsheet they shared. I couldn't get rid of it, but at least I had them put it in their drawers.

      Good grief? Sure, but that was HIPAA compliant.

      So, please, geeks of the world, let's not bash an entire industry based on one article.
      • RE:"but at least I had them put it in their drawers."

        • I know how awful it sounds, but think about it another way:

          1. Everybody in the office was theoretically allowed to get to that patient data.
          2. They NEEDED to share passwords because of how the insurance carriers set up their BBS. They only give one username/password combo out per company, but we had a dozen billers.
          3. We worked in a locked office with security.

          So...the information was supposed to be shared amongst the people in the office, but functionally needed to be stored somewhere because, well, "turn
        • the old aphorism

          getting your panties in a bunch

          Still, the OP is right. HIPAA, as with all government attempts at regulation, is a wierd, complex, inconsistent, illogical construct that underneath all of the legal mumbo jumbo, handwaving and threats, is actually trying to do something useful.

          The really scary aspect of this is that it represents a significant improvement from before. From someone who has been running a small medical office with ancient, creaking paper based systems and an even more ancient

      • by electroniceric ( 468976 ) on Monday June 05, 2006 @09:14AM (#15471657)
        I'm also a HIPAA security officer, but for a tiny startup, so it's only a small fraction of my job. But you hit the nail right on the head here:
        But, again, its the individual workers who matter. Like the time I found out our billers couldn't remember their countless insurance company BBS passwords, so they had a nice spreadsheet they shared. I couldn't get rid of it, but at least I had them put it in their drawers.
        HIPAA marked a big transition in regulation because:
        a) enforcement is complaint-driven, rather than having an inspection apparatus.
        b) It "scales": for many provisions, you can provide an explanation why you should be able to take an alternate (less onerous) measure.
        c) it explicitly focuses on management controls much more than data specifics.

        As a practitioner, I think this was a good approach (note that part c was taken up in earnest by Sarbanes-Oxley). Data privacy is an extraordinarily complicated affair, and one that is still evolving. Frankly, it's not like other industries in charge of personal data (e.g. finance) have done all that well either. And regulation itself takes time to settle down. Neither of these issues were explored at all by this article. I'd say given how much HIPAA differed from other regulation, and how dynamic the situation is, the implementation timeline has also been reasonable.

        Additionally, medicine is an extraordinarily fractured industry. There is no smooth "supply chain" type model for moving patients or data through the system, rather nearly every transaction is negotiated. The parent touched on this, but I'll go a bit further: a large fraction of medical transactions require human intervention to move data, and a huge amount of medical data has yet to be digitized. This is in stark contrast to physical industries like airplanes or retail, all of which have systematized many or most of their transaction chains.

        I'd say the right thing to do is to give the regs more teeth by prosecuting a few of the worst offenses. Basically, make it easy to show how and why disclosures caused damaged. This will put people on notice that the government is serious about the regs. If that doesn't work, the regs themselves can be tightened up, hopefully in the context of broader data privacy legislation.
      • I work very low-level at Big Insurance Company, where every day I see nearly a thousand people's confidential medical information. The average claim is probably seen by about six pairs of eyes during its lifetime. As far as external breeches go, we keep everything locked up pretty tightly, with 24-hour security guards etc. (they cornered me in the parkinglot one night) What does anger me, is that the mainframe passwords must be 6-8 characters. They wouldn't even let me use my 16 character password.
      • I heartily concur. As a software developer for a hospital, we go out of the way to make sure things as secure as we can make them. We also scrutinize our designs from the perspective of HIPAA compliance. For example, we recently instituted a method that doctors could get a weekly email of their charts that they need to sign, dictate, etc. We cannot get paid until the doctors do this step. Unfortunately, we can't send individual patient info over email, even if it's on a server in our control-- therefor

      • I'm getting revenue from HIPAA compliance efforts and a lot of people at conferences are there to talk about "how we survived HIPAA".

        Here's what's worrisome, though. The most common approach to HIPAA is "what's the least we have to do to stay out of jail?". Unless there's enforcement through some channel, those HIPAA initiatives will turn into forgotten dust-covered binders.
      • I work for another giant healthcare company, and I can tell you that where HIPPA is making a huge difference for us is in firings. We've let go MANY people that we'd wanted to fire for various reasons, but it's hard to fire people -- especially those who manage to be incompetent at everything except know how to fight to keep their job. Previously, even when we had a "zero tolerance for errors" (something you'd want at a hospital no?) we still could not fire people who made repeated mistakes without going

        • A good friend of mine was suspended from her job of 18 years, alleged due to concerns about a HIPAA violation.

          The violation: A member of our church brought his kid to her hospital. The parent asked her to let others in the church know that they had come to the hospital, and to pray for them. Someone at the hospital found out, and she got suspended.

          Due to personal and family medical problems, her employer had chastised her in the past for missed days of work. This seems to those of us who know her like a
      • You can lock down your servers, your network, etc. But as you imply, insiders are the big threat.

        To avoid insider abuse at hospitals, doctors' offices, etc., you need to let insiders you're watching everything they do. This isn't "big brother", it's common sense. You can't necessarily lock everyone out of everything, but if they know you're looking they'll more likely play by the rules.

        An article about the Michigan health system [] (they use the P2 Sentinel [] product from Cerner [] and SenSage []) was informati

    • What "NSA wiretapping debacle" are you talking about? A debacle is when you are defeated. In the case of US Government spying on millions of its citizens, what happended is just that the news got out. Were they forced by public outcry to stop such activities, you could call it a debacle. But, for what I know (I'm not American, so maybe missed something) they didn't stop. US citizens lost, not the Government.

      When scandals explode, it's too easy to think "Aha, they got caught! Now they HAVE to stop this!", bu

    • The problem is that the health care facility doesn't care either.

      My wife works in a hospital processing insurance. She complies with HIPPA (because privacy of her medical records is important to her), and will report the many violations she sees (technically, she could be fired for not reporting). However, her manager and upper management never do anything but give a verbal warning.

      There have been some pretty major violations too. They just don't care.
  • by bogaboga ( 793279 ) on Monday June 05, 2006 @07:52AM (#15471265)
    Since [] is read through out the world, I'd modify this story's title to read...

    Medical Privacy Laws [in the USA] Highly Ineffectual

    Slashdotters all over the world are smart enough to know that the problem with those medical records is largely a local problem. That is to say, it is a US problem and not a problem for the whole world. Here in Sweden, we have no such trouble.

  • by MikeRT ( 947531 ) on Monday June 05, 2006 @07:57AM (#15471280)
    How many of these cases were privacy violations due to accidents, staff inexperience, etc.? Do you really want doctors getting in legal trouble over trivial violations their first time or a particular staffer's first time? That is a GREAT way to drive up their insurance costs which only benefits lawyers and the insurance industry. You, in turn, pay higher medical costs.

    And whatever happened to innocent until proven guilty? This sounds a lot like the feminist tendency to say "she claimed she was rape, and women never lie about rape, thus she must have been raped." People get impassioned and complain all of the time for invalid reasons. People also complain out of ignorance, what they feel the law ought to be, etc. Broadcasting would be dead if every complaint sent to the FCC was taken at face value, and every slip of indecency were fined.

    How about we work toward some real privacy like, I don't know, fighting to keep the DMV from selling our records, the IRS our tax records (they want to do that now), get laws passed making law enforcement DNA databases available only to the police and NEVER to insurance groups, the DoJ requiring mandatory data retention and things like that.
    • by Anonymous Coward
      Two problems. First, the ratio. It seems hard to believe that only two out of thousands were serious enough to prosecute. Secondly, more crucially, is the explanation given. It isn't that they've investigated the thousands of complaints and found that they don't warrant prosecution, it's that they want "voluntary compliance". Sorry, but that's stupid. The whole point of laws is that they're enforced. If you want people to play nice voluntarily then don't pass a law. If you pass a law then enforce it.
    • One case which I can comment on (up to a point) is one which I was involved in. There was a period, a while back, where we were just beginning to realize the extent of the spyware problem on PCs and we started to install two or three different antispyware applications on each machine. In this process, we discovered that two of our medical transcriptionists had been infected with keylogger trojans which were sending data to an internet marketing company. This, of course, had to be reported as a HIPAA viol
    • It's hard to figure out what's a violation and what isn't; in a 12 mile radius of me there are 7 people with the same first and last name as me, 3 of those people have the same middle initial. Obviously the release of my name wouldn't really be personally identifying, however if my name was qvidis.... it would.

      This HIPPA stuff is affecting patient care right now. 3 weeks ago I burnt my hand at work, so the boss drives me to the Port Huron Hospital ER (newly remodeled for increased HIPPA compliance); there i
    • HHS would have issued their $100 fines in more than 0 cases if they were taking the approach of enforcement.

      They do have a reason for the policy of issuing warnings and explaining how to do things. The rules are new, people aren't used to them, some about of adjustment time might be reasonable. But the policy isn't producing compliance. The fantastic article says "The approach has made health-care organizations complacent about protecting records, several health-care consultants said". Or this quote:
      "They a
      • This was debated post-HIPAA enactment when they needed to identify who had enforcement authority for this new set of laws. HHS is not a branch of government one identifies with prosecution, although they do understand investigation. Justice is identified with prosecution, although they have little experience with healthcare.

        No one is happy with the end result, although they are adapting.
  • It gets even better (Score:4, Informative)

    by plopez ( 54068 ) on Monday June 05, 2006 @08:27AM (#15471404) Journal
    Check this out. p []

    Talk about your privacy in jeapordy. How long before these records end up on an insecure server, or off shored to where people don't give a crap and sell the information. Identity theft anyone? How is keeping records secure *not* a core function?

    Every day I wake up amazed at the sheer stupitiy around me.
  • Why HIPPA is broken (Score:4, Interesting)

    by callistra.moonshadow ( 956717 ) on Monday June 05, 2006 @08:30AM (#15471417) Journal
    Case in point: My father was hospitalized and I was called to approve treatment over the phone. The ER personnel never gave me the HIPPA security code. Later I called to check on his status. The nursing desk staff refused to give me that information citing HIPPA. Uh...they called me as medical power of attorney to give permission to treat him yet they never gave me the top-secret security code. When I pointed out how ludicrous that was they just used HIPPA as the reason to not give me my dad's health status. I managed to bypass the idiocy with the use of said Protected Healthcare information to get the information requested. It just shows that laws are made by the powers, but the analysis of the use-cases that will interact with the laws have not been given the proper review for the cases that are exceptions. So, all that said, nothing surprises me.
    • by jdoc ( 216868 )
      Let me give you a doctors perspective: HIPPA was created and implemented to, among other things, control the outrageous number of frivolous lawsuits arising from "breeches of privacy". Yes, it helps with privacy issues in medicine, and is needed for said reason. The lawsuits became a real burden in the 90's, just when medical malpractice lawsuits skyrocketed, as did insurance premiums. The Clinton's just sat back and watched, which doesn't surprise me- they've always been anti-doctor (I still remember t
      • Thanks for the tried and true GOP talking points: First, there's no problem here, move along. Second, if there is a problem it is because of the Clintons (or "Clinton's", if you prefer). Nicely done. Your tax cut is in the mail.
      • by callistra.moonshadow ( 956717 ) on Monday June 05, 2006 @09:27AM (#15471740) Journal
        Sure, I agree that there are reasons for HIPPA. I used to work at a firm that required HIPPA certification and I hold a current HIPPA cert. What is troublesome is how the HIPPA laws are used to either avoid dealing with things that are broken, or that they don't necessarily protect the so-called protected information. It could also lead to a person's death if not handled by someone that can bend the rules when the exceptions arise. That's what has me concerned - the lack of a plan for when things don't flow through the gates as expected. It has nothing to do with which adminstration is in power and everything to do with what makes logical sense. The way a hospital enforces HIPPA is broken - at least in my opinion from personal experience.
        • >It could also lead to a person's death if not handled by someone that can bend the rules when the exceptions arise. That's what has me concerned - the lack of a plan for when things don't flow through the gates as expected

          Fortunately HIPAA explicitly requires (black and white) that there be an emergency override procedure in place.
        • by Garg ( 35772 )
          ...I hold a current HIPPA cert.

          Wow, you got a cert and you can't even spell HIPAA? And people here talk about MCSE's!
      • by taumeson ( 240940 ) *
        1. Why the hell do people keep calling HIPAA HIPPA? There are two A's, not P's.
        2. There are more lawsuits for "breeches of privacy" than from before HIPAA....I suppose the argument can be made that they're not "frivolous", but I just wanted to point this out.
        3. Some Doctors do make too much money. I know of doctors worth over 100 MILLION. I can't see a big difference between what they did (the one I'm thinking about died a few years ago) and what my GP does. And when it takes a 2 MILLION dollar starting
      • and brought us dangerously close to socialized medicine.

        Uh, and socialized medicine is SOOOOO bad for the rest of the world. Oh, wait, it seems to be working fine in Canada and Europe...

        It's better to deal with a disgruntled patients relative or power of attorney

        If the person calling has the power of attorney and was contacted in the first place due to that, then no it isn't. It's better to give the information required, as you are required to do since the person you're talking to is the one who has the leg
    • According to HIPAA, at least as of a couple years ago, no privacy violation was too small. Including, say, a nurse coming to the waiting room and asking for "Mrs. Smith". After all, Mr. Jones sitting next to her would then know that woman's name. Instead, the only proper method for calling patients back to the treatment rooms is installing one of those "take a number" dispensers, then calling patients by number.

      Never mind that we live in a small town where Mrs. Smith and Mr. Jones went to kindergarten together and come from families that have been here for 150 years. And forget that my wife is a podiatrist and that visiting her isn't inherently compromising (unlike, say, sitting in the lobby of a clinic for sexually transmitted diseases).

      So, according to HIPAA, my wife is breaking the law each and every time she treats her patients like people instead of numbers. We haven't had a complaint yet and don't expect to, but could technically be busted for violating Mrs. Jones's privacy at any moment.

      • So why doesn't your wife call for number 352 from the lobby, and then ask Mr. Smith how he is once he is out of the public waiting room? That way she could protect his privacy, not break the law, not be open to liability, AND treat him like a human. I don't think it's your wife's place to decide that Mr. Smith's comfort at the moment of being called out of the waiting room supersedes his right to medical privacy. Maybe nine out of ten -- or even 999 out of 1000 -- Mr. Smiths agree with your wife's decision,
        • So why doesn't your wife call for number 352 from the lobby, and then ask Mr. Smith how he is once he is out of the public waiting room?

          Because her patients expect to be treated like humans and humans don't like being called by number. In her practice, patients tend to be retirement age or older (except for the occasional younger person with a broken toe, etc.). That population would not react well to being numerically processed.

          She's much better off business-wise to upset the one person who's not use

      • Names aren't Protected Health Information. You can call them out any time and not get in trouble.
        • Name _are_ protected health information. Associating a name with a facility can coorelate to personal health experience depending on the type of facility.

          Here's the official list:

          The following identifiers of the individual or of relatives, employers, or household members of the individual must be removed to achieve the "safe harbor" method of de-identification:

          (A) Names;

          (B) All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geo
    • Speaking as someone who keeps a copy of the HIPAA regs ready to hand, I can say that what you describe is not a problem with HIPAA. Instead, it's a problem with that provider's stupid implementation. There is no "HIPAA security code" in the law.

      If you're involved in the patient's care, they are allowed to release information to you. They do have to have "reasonable belief", when releasing information, to verify that you are who you say you are and that you are actually involved in the patient's care. But t
    • Perhaps HIPPA is broken because the goverment can seldom do anything correctly except for collecting taxes.
  • by tiltowait ( 306189 ) on Monday June 05, 2006 @08:34AM (#15471442) Homepage Journal
    Last year my health insurance company, in response to a billing dispute, send me a full page from their billing database. The record for my family took up just one paragraph, and above and below it I could see other patient names, billing codes, account numbers, and more.

    I asked them to explain this, and got no response. I sent the sheet of paper to the US Department of Health & Human Services. A few months later I got a letter back in the mail from them, stating that they had investigated the situation, the provider (Humana) admitted making a mistake which resulted in a privacy violation, and they weren't going to do a damn thing about it.

    So, I'm hardly surprised by this article. Still it's sad to see I was in the 73 percent of cases.

    • I don't know what it is - but throughout my working history, I've never worked with people as incompetent as medical billing staff.

      At an annual auction fundraiser for a local hospital, I had the pleasure of giving a group of these people a 3-hour training to learn how to fill out a simple GUI with just 3 pieces of information: the item number, the price, and the name of the winner bidder. So it didn't surprise me when some study showed that up to 40% of current medical costs could be shaved off if all hospi
      • Unfortunately, the insurance companies do not want efficient billing systems. The longer they can delay paying the claim, the longer they get to hold on to the money, and the more interest they collect.
        • Mod the parent up, because this is EXACTLY right. The insured patients don't care whether their insurance company pays the provider on time or not after they have paid their co-payment and by the same token the insurance company doesn't care whether the providers raise their rates because they simply pass those costs on to the insured patients in higher premiums. The third party payer system, i.e. the insurance companies, are largely responsible for the massive escalation of health care costs in this countr
  • by SpaceBass ( 57416 ) on Monday June 05, 2006 @08:43AM (#15471484) Homepage
    First, there is a LOT to HIPPA to understand. People often think any discussion of their medical history is a violation. The truth is you sign a lot over when you sign HIPPA wavers. For instance, the right for your care giver to discuss anything about you with any other potential care giver (often) want this, trust me.

    One of the areas that does continually suprise me is that medical records are stored, transmitted and displayed all in clear text. Some of the major manufacturers of the healthcare software often use FTP (not Sftp) to exchange records with their customers. Even internally with in a hospital, records are transmitted from one system to another in clear text.

    If you want security, ask your care give how they are protecting your electronic records.
    • >One of the areas that does continually suprise me is that medical records are stored, transmitted and displayed all in clear text.

      HIPAA calls for encryption.

      It's an "addressable" requirement, which means you can skip it if you
      - document why you don't need to or can't do it
      - develop your own security measure which is just as good
      - collect and store evidence that your security measure is just as good

      In practice my clients are treating encryption as a requirement.
      • The official policy here is that we don't need encryption for network communication as long as it is within our LAN or between us and the hospital which we are associated with. The policy says that being on a switched LAN is good enough to prevent packet sniffing. Our main medical records system uses old fashoned Telnet but also works with SSH. No one is bothering to switch the client software over to SSH because it isn't officially necessary.

        Similarly, we do not require encrypted storage of data for mac
    • First, there is a LOT to HIPPA to understand. People often think any discussion of their medical history is a violation. The truth is you sign a lot over when you sign HIPPA wavers. For instance, the right for your care giver to discuss anything about you with any other potential care giver (often) want this, trust me.

      One of the areas that does continually suprise me is that medical records are stored, transmitted and displayed all in clear text. Some of the major manufacturers of the healthcare softw

    • "The truth is you sign a lot over when you sign HIPPA [waivers]"

      Actually, no. There is no generic HIPAA waiver. For the most part, HIPAA doesn't require the patient to sign anything, except to authorize specific disclosures in unusual circumstances.

      I think what you're talking about is a clinic's Notice of Privacy Practices, which each provider or clinic is required to present to you at least once. By signing it, you simply acknowledge that you have received such notice, not that you agree with the clinic's
  • by Bored George ( 979482 ) on Monday June 05, 2006 @08:58AM (#15471572) Homepage
    RTFA! This is not about "laws", it's about one law: HIPAA. And it's not that the law is "ineffectual", it's that enforcement of the law is virtually nonexistent.
    • HIPAA is the defacto standard law for protection of medical records - further if you RTA, you will see that The Washington Post does not mention HIPAA by name until the 354th word of a 1200+ word article.

      In any case, a law that is not properly enforced IS ineffectual.
    • IMO, failure to enforce a law does not make the law ineffecual, but it does do so to those who are tasked with enforcing it. The cynical side of me thinks that perhaps since this law was enacted during the Clinton administration that the current leaders are simply not all that interested in enforcing its provisions.

      That said, and as someone who works in healthcare IT, I can substaintiate a post further up that stated that this law cost many health care deliverers millions upon millions of dollars to imple
    • The interesting thing here to me is the "voluntary compliance" sentence. The U.S. has another major law affecting all citizens that demands voluntary compliance, and gets it 99% of the time - Income Tax.

      So if you want to be able to enforce HIPAA, all you need is an IRS-like agency with IRS-like powers and IRS-like reputation - I guarantee you'll get your compliance.

  • It's not enough that we get numerous automovie analogies on Slashdot - now we get them in the articles as well. I expect the next step is the "+1, Car Analogy" mod (or -6, as the case may be).
    • It could be a neutral mod - +0 - Car Analogy. In fact, you could have a whole range of descriptive mods. These would be useful when the score is appropriate (so you don't want to give it a +1 or a -1) but the classification just doesn't fit. These could include a +0 on-topic, +0 mostly harmless, etc.
  • by jpellino ( 202698 ) on Monday June 05, 2006 @09:09AM (#15471623)
    After a year long bout with several parallel ailments, my GP asked me how I was, and I replied "except for the writer's cramp, just fine". Every visit to a MD office now requires that you fill out and sign the form that swears they promised under HPPA not to divulge anything (maybe not explicitly required but it seems everyone's in CYA mode on every visit).

    As he observed, "What do they think I'm going to do - run out into the parking lot and yell to passers-by 'You'll never guess what Pellino's got...!'"

    And as I observed - you get three or more seniors in the waiting room, and no matter how the small talk starts, it always becomes a grand exposition of their ailments. "Huh! You don't know from gallstones! I should be so lucky to just have your gout!" and on and on and on...
    • "Every visit to a MD office now requires that you fill out and sign the form that swears they promised under HPPA not to divulge anything"

      Then your provider needs to get a clue.

      You only need to sign one HIPAA "Notice of Privacy Practices", once, for each provider. If they give you a second one, it's because their NPP was revised, or they've lost track of the fact you've already got one.

      The NPP shouldn't ever ask you for anything or limit any of your rights if you sign it. It exists to inform you of the clin
  • by hagbard5235 ( 152810 ) on Monday June 05, 2006 @09:24AM (#15471713)
    While it's distressing that HIPAA is essentially seeing no enforcement, I find it more distressing that while it hinders movement of my medical information among my providers (requiring forms be signed by me, etc) it explicitely allows any law enforcement agent to waltz in without a warrant and assert without evidence that I am a suspect or victim in a crime and thus obtain my medical records.

    Everytime I hear someone throwing a fit about being able to obtain a warrant to get my library records I think of this. Funny how no one notices MASSIVE give aways of your privacy rights under democratic administrations. Oh, and look up 'know your customer' sometime too :)
    • I work in a pharmacy, and I can vouch for this. You know how pseudoephedrine became a controlled substance? Well, we now have to log all sales of it, including purchaser's name and address, and how much of the crap he bought. Police don't have access to your prescription records without a warrant, I'm pretty sure, but they can just come right in and check the PSE records. It makes me grind my damned teeth whenever I have to fill out that log book.
  • by ec_hack ( 247907 ) on Monday June 05, 2006 @09:29AM (#15471759)
    Most major health care organizations use outside auditors to look at privacy compliance. It is taken very, very seriouly by hospitals and the other organizations. My wife has dealt with the auditors at the ambulatory surgery center where she practices. They have made all kinds of nit-picky changes to their procedures, many of which make no sense. Example: when patients with dentures or retainers go in for surgery, they have to take the appliance out and it is placed in a plastic container of water. The container has a label from the medical records printout attached. After the patient leaves, procedure was to throw the empty plastic container in the medical waste bin for disposal by burning. The auditor demanded that they peel the label off after use and shred it.

    My late father had to have an outside auditor survey his office in order to remain on the list of authorized providers at several major insurance companies.

    The regulations are ambiguous as can be, so violations are going to happen until the appropriate practices are worked out.

  • by TX297 ( 861307 )
    HIPAA = Health Insurance Portability and Accountability Act (of 1996)
    HIPPA = Hippopotamus. With an A.


  • by sweetnjguy29 ( 880256 ) on Monday June 05, 2006 @10:00AM (#15471943) Journal
    This is a classic case of why consumers should have a private right of action to sue in court under the civil law. HIPAA does not allow individuals to sue a hospital or doctor for violations of the statute. (However, a stricter State statute or privacy or contract law might allow a suit)

    There is a growing trend in U.S. Federal Law that grants people rights, but does not allow them a remedy if there is a violation of these rights. This is a direct outgrowth of 20 years of conservative Supreme Court rulings that have gutted the power of the Judiciary to provide remedies for violations of the law.

    The thought process is "well, Congress said you have a right to have your information kept private, but didn't explicitly say that anyone besides the State can enforce this remedy, so oh well, your screwed if the government doesn't want to do anything."

    This thought process is not only unjust, but goes against 500+ years of legal of Common Law. Where you have a right, you should always have a remedy. It is an axiom, and 20+ years of Republican Judicial Activists have destroyed this notion. It is not right, and it is not fair. And it is not conservative. It is radical and undemocratic, and goes against the rule of law.

    See: [] and ue.htm [] and html []
    • >HIPAA does not allow individuals to sue a hospital or doctor for violations of the statute.

      Lawyers are good at finding workarounds.

      Don't know how the case turned out, but someone filed a negligence suit (not a HIPAA suit, you're right that those can't be done) on the grounds that the legal "duty of care" now includes following HIPAA.
    • I absolutely agree with you. But if a cause of action were created and people started suing, a bunch of short-sighted slashdotters would begin screaming and crying about how overly litigious our society has become, while only today they wailed and moaned about how our rights are not being protected. Litigation is one of the crucial, crucial enforcement mechanisms of some of our most sacred rights, and I wish more people would realize this. There are frivolous suits, yes, but overall the effect safeguards mu
    • There is a growing trend in U.S. Federal Law that grants people rights, but does not allow them a remedy if there is a violation of these rights. This is a direct outgrowth of 20 years of conservative Supreme Court rulings that have gutted the power of the Judiciary to provide remedies for violations of the law.

      Actually, it's an import from the law of the former Soviet Union, which had many unenforceable rights in the Soviet constitution.

  • by Wilf_Brim ( 919371 ) on Monday June 05, 2006 @10:37AM (#15472178)
    As a practitioner, let me say that HIPAA is being fairly actively enforced. There are some fairly bone headed breaches from time to time, but there are bone headed privacy breaches in every industry. I can tell you that there have been incredible unintended consequences. First, millions to billions have been spent (and are continuing to be spent) on HIPAA compliance. For the most part, this is money spent nominally on health care that is completely administrative in nature. Ever wonder where all of that 13% of the GDP spent on health care goes? A bunch of it is being spent on HIPAA compliance offices, with 4-6 FTEs being spent training, and doing paperwork. Not a terribly cost effective way of improving health care. Second, everyone now is safety wired into the "don't tell anybody anything" position. If your spouse is in the hospital, and you do not have a designated HIPAA compliant health care proxy, you (by HIPAA rules) don't get to know anything, other than where she/he is. No diagnosis, no prognosis, not what happened, nothing. If he/she didn't or wasn't able to make the designation in writing on admission (i.e. was run over by bus) you will need to jump a bunch of legal hurdles to get the information released. As a medical consultant, it is very hard for me to get information from people trying to refer patients to me. Too often I get the "I can't tell you that; HIPAA" line. Although, to be honest, this is a misinterpretation of the law, but many institutions have taken the view that "unless I have a piece of paper which explicitly states I can release information to you, I'm not telling you crap".
    • Well said. I've been practicing medicine for about 10 years, and I've seen my share of mishaps regarding privacy (even today). The hospital I currently work out of is very strict when it comes to privacy, and the punishments are, for the most part, pretty harsh. But violations, as I've said before, are handled first at a local level, ie the hospital administration, unless a lawsuit is filed. So punishments tend to be non-publicized, but are still appropriate. The public don't hear about remedies unless
  • Warranties (Score:3, Informative)

    by Aram Fingal ( 576822 ) on Monday June 05, 2006 @10:44AM (#15472228)
    I think the thing with HIPAA is that it takes time for it to improve security and privacy. Basically, you can handle it however you want as long as you justify your decisions in writing as being "reasonable." Reasonable security might mean that it would cost so much to do things more securely that it would adversely affect service. There are so many small niche markets for medical information software that your reason for poor security may simply be that you only have two or three vendors who serve your specialty and they all have poor security. Many of these applications were created before security was taken as seriously as it is now and many were designed for isolated LANs but are now being connected to the internet. I hope that the bar will be raised by those people who go the extra mile. Then the standard for "reasonable" will eventually become something which really protects privacy.

    This goes to the topic of software warranties. Most medical informatics software come with something like a "statement of HIPAA compliance." which basically says that the vendor has designed the software in a way that it can satisfy HIPAA if you do your part to make it secure. This is fine in itself. The problem is that these applications don't run in isolation. You need an operating system to run them on and they quite often only run on the operating system with one of the worst security track records in the business. They may also depend on other application software. For example, one which I work with uses Microsoft Word and Word Macros to handle reports from the database. It was designed that way in order to allow the integration of third party options like speech-to-text from a variety of vendors. The thing is that Windows and Word don't come with any statement of HIPAA compliance. They follow the common practice in the software industry of disclaiming all warranty including against negligence.

  • by Yvanhoe ( 564877 )
    I swear I read at first the news as 'Medieval Privacy Laws...' damn associative memory
  • by r00t ( 33219 ) on Monday June 05, 2006 @11:25AM (#15472550) Journal
    Want insurance?

    You must sign a waiver of your HIPPA rights. You agree that data given to the insurance company will not be subject to HIPPA regulations.

    Seriously, read the fine print. HIPPA does not exist unless your insurance company was unusually dumb. HIPPA is nothing until the law prohibits waiver of rights.
  • by Anonymous Coward
    In Australia, practioners do not receive or ask your health insurance about how much cover you have. They give you the bill and it is up to you to organise paying it (between you and the health insurance company.)

    In America, every medical facility that you want to claim through your health insurance appears able to access basic health insurance information such as how much you have spent "this year". What a joke.

    Roll over citizen John, ACME Inc wants to make a buck and you're not allowed to have any priva
    • Another way that things are slightly better in Australia is that, IIRC, there is a law there that prevents software manufacturers from disclaiming all warranty (particularly for negligence). If you read way down the Windows EULA, there is a reference to a specific Australian law (cited by statute number)and it says that if you sue Microsoft under this law, you agree that your only remedy is replacement of the software. I guess that's another example of having the right idea but not adequate enforcement.
  • is that it contains no private right of action. In other words, you can't sue your insurance company when they sell your records to a marketing company^W^W^W^W^W^W^W share some of your health information with some of our selected, carefully prescreened partners. Your only recourse is to make a complaint to the same people that routinely accept millions in bribes^W contributions from the people you're complaining about. This is true with so many "protections" passed by this administration while at the sam
  • by Aram Fingal ( 576822 ) on Monday June 05, 2006 @01:24PM (#15473599)
    Since no one has pointed it out yet, I should mention that HIPAA stands for the Health Information Portability and Accountability Act. It's the portability part that came first. The accountability part only came after privacy advocates objected. The main purpose of HIPAA was to make it easier to share data among care providers. The medical profession is much more spread out among different specialties and facilities than it ever was in the past.

    One of the basic principals of HIPAA is that you can share data with anyone who is directly involved in the care of the patient and anyone who is responsible for billing for that care. I am involved with a clinical laboratory. We take samples from referring physicians, process them and give the results back. Many patients probably don't even realize that they are in our database. It seems to me that this is one of the weaknesses in HIPAA. You ought to have a right to know who has your data.

    The principal of medical privacy is there to prevent anyone from avoiding treatment for fear that their information will get out. This not only applies to people with diseases which might have a social stigma but it also applies to a case like that of a criminal on the run. Such a person should not have to avoid medical treatment for fear of being tracked through medical records. This is tantamount to denying medical care. Doctors should not be part of law enforcement (of course that general principal is not absolute when you consider examples like child abuse). I wonder if the level of access by law enforcement to medical data may already be causing some people to avoid, or delay being tested for conditions.

    HIPAA needs to to have a number of new provisions. You should be able to find out who has medical records on you, you should be able to get copies and have the original records deleted, or more likely anonymized since many laws require bulk reporting of the occurrence of certain diseases.
  • causing a pain in my A5S!

    I could paper my walls with the number of stupid disclosure notices I've had to sign. One for each member of the family at each healthcare provider including eye doctories, pharmacists, alergists, etc., and another one for each school, camp, afterschool program, and employement situation.

    All this, which in my case is well over 100 by this point, and they are useless?


    It makes me as angry as when I fill out forms for schools and camps for the kids and they have 4 or
  • Eureka! (Score:3, Funny)

    by abb3w ( 696381 ) on Monday June 05, 2006 @02:28PM (#15474125) Journal

    So put this [] and this [] together, and we read the secret headline "Midaeval Piracy Laws", thereby tying HIPAA in with the MPAA and RIAA and the basic Slashdot anti-Copyright agenda! Yes, it's a *AA conspiracy!

    Go on, mod me insightful. It's a slow news week so far.

  • From the outset, HIPAA was expected to have a period of voluntary compliance, followed by a period of enforcement aimed more toward corrective action than towards punishment. I don't recall just what the intended durations were, but the period of corrective enforcement was to be at least a few years long.

    Although HIPAA was set in motion back in 1996, the Privacy rule only came into mandatory effect in October of 2002, and the Security rule not until April of 2005. We might be nearing the hard-enforcement da
  • At my employer, as with many companies these days, the health insurance that's offered to employees has changed from a standard insurance provider like Blue Cross (just for example), to "Self-Insured", under the federal Employee Retirement Income Security Act, a.k.a., "ERISA".

    What this means, besides the loss of virtually all state-mandated consumer protection in the area of medical reimbursement (because ERISA supercedes all that), is that now, instead of a 3rd party insurer getting my medical billing i
  • Just goes to show the Bush admin has plenty of tyme to push for an amendment to the constitution to deny some the ability to marry whom they want in a consentual manner but won't take the tyme to enforce a law already on the books. Seems like businesses can't to any wrong but individuals can't be allowed to do what they want when they aren't harming another.


e-credibility: the non-guaranteeable likelihood that the electronic data you're seeing is genuine rather than somebody's made-up crap. - Karl Lehenbauer