Medical Privacy Laws Highly Ineffectual

Rick Zeman writes "According to the Washington Post, since Americans gained statutory privacy for their medical records backed by the US Federal Government (via HIPAA), the Bush administration has received thousands of complaints alleging violations but has not imposed a single civil fine and has prosecuted just two criminal cases saying that they were pursuing 'voluntary compliance.'" From the article: "'It's like when you're driving a car,' said consultant Gary Christoph of Teradata Government Systems of Dayton, Ohio. 'If you are speeding down the highway and no one is watching, you're much more likely to speed. The problem with voluntary compliance is, it doesn't seem to be motivating people to comply.'"

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:I'd modify this story's title this way:

[stm2]

I agree. The same happens in Argentina, most medical records can be hacked, since most of them are still in paper :)

Re:Considering the recent incidents.....

[plague3106]

The problem is that the health care facility doesn't care either.

My wife works in a hospital processing insurance. She complies with HIPPA (because privacy of her medical records is important to her), and will report the many violations she sees (technically, she could be fired for not reporting). However, her manager and upper management never do anything but give a verbal warning.

There have been some pretty major violations too. They just don't care.

Re:Considering the recent incidents.....

[taumeson]

I know how awful it sounds, but think about it another way:

1. Everybody in the office was theoretically allowed to get to that patient data.
2. They NEEDED to share passwords because of how the insurance carriers set up their BBS. They only give one username/password combo out per company, but we had a dozen billers.
3. We worked in a locked office with security.

So...the information was supposed to be shared amongst the people in the office, but functionally needed to be stored somewhere because, well, "turnover". So our barrier between the patient data and the outside world was twofold:

1. Even if you had a username and password, would you know how to get my patient data off a greenscreen emulator by connecting to our AS/400 and using passthrough to get it from the government?
2. We were on an upper floor in a nondescript office building with locks.

Why HIPPA is broken

[callistra.moonshadow]

Case in point: My father was hospitalized and I was called to approve treatment over the phone. The ER personnel never gave me the HIPPA security code. Later I called to check on his status. The nursing desk staff refused to give me that information citing HIPPA. Uh...they called me as medical power of attorney to give permission to treat him yet they never gave me the top-secret security code. When I pointed out how ludicrous that was they just used HIPPA as the reason to not give me my dad's health status. I managed to bypass the idiocy with the use of said Protected Healthcare information to get the information requested. It just shows that laws are made by the powers, but the analysis of the use-cases that will interact with the laws have not been given the proper review for the cases that are exceptions. So, all that said, nothing surprises me.

Laws Not Enforced, my story

[tiltowait]

Last year my health insurance company, in response to a billing dispute, send me a full page from their billing database. The record for my family took up just one paragraph, and above and below it I could see other patient names, billing codes, account numbers, and more.

I asked them to explain this, and got no response. I sent the sheet of paper to the US Department of Health & Human Services. A few months later I got a letter back in the mail from them, stating that they had investigated the situation, the provider (Humana) admitted making a mistake which resulted in a privacy violation, and they weren't going to do a damn thing about it.

So, I'm hardly surprised by this article. Still it's sad to see I was in the 73 percent of cases.

Software and Policies are at fault

[SpaceBass]

First, there is a LOT to HIPPA to understand. People often think any discussion of their medical history is a violation. The truth is you sign a lot over when you sign HIPPA wavers. For instance, the right for your care giver to discuss anything about you with any other potential care giver (often)...you want this, trust me.

One of the areas that does continually suprise me is that medical records are stored, transmitted and displayed all in clear text. Some of the major manufacturers of the healthcare software often use FTP (not Sftp) to exchange records with their customers. Even internally with in a hospital, records are transmitted from one system to another in clear text.

If you want security, ask your care give how they are protecting your electronic records.

Re:Do you really want them to act on every complai

[Aram Fingal]

One case which I can comment on (up to a point) is one which I was involved in. There was a period, a while back, where we were just beginning to realize the extent of the spyware problem on PCs and we started to install two or three different antispyware applications on each machine. In this process, we discovered that two of our medical transcriptionists had been infected with keylogger trojans which were sending data to an internet marketing company. This, of course, had to be reported as a HIPAA violation. The authorities did nothing as a result of the incident but we started to take security more seriously anyway.

I had previously argued that these computers should use a particular set of secure, internal, non routed IP addresses which are available on our network (we are part of a large university). In the rush to get the new system going, the people who installed the workstations, had used the regular, less secure IP addresses (which don't require proxies to access the internet). It was surprisingly difficult for me to convince people that using these internal IP addresses was necessary because antispyware software will never be able to catch everything. Not to mention the other security benefits of not being directly visible from the internet. I think many people just don't grok the concept.

These computers were eventually moved to the secure IP address range (with proxy access denied as well) and other additional measures were taken to secure them but I don't think that would have happened without the reporting requirement of HIPAA. Still, it's surprising that there wasn't any more reaction from the authorities. My guess is that they were just swamped with similar reports.

Re:Why HIPPA is broken

[taumeson]

1. Why the hell do people keep calling HIPAA HIPPA? There are two A's, not P's.
2. There are more lawsuits for "breeches of privacy" than from before HIPAA....I suppose the argument can be made that they're not "frivolous", but I just wanted to point this out.
3. Some Doctors do make too much money. I know of doctors worth over 100 MILLION. I can't see a big difference between what they did (the one I'm thinking about died a few years ago) and what my GP does. And when it takes a 2 MILLION dollar starting bonus just to get a crappy cardiologist in the door, well things might be out of wack.
4. HIPAA was passed in 1996...way before the Bush Administration was put into power. As you should know, March and October 2001 were important milestones for HIPAA, neither of which you can give the Bush Administration any credit over as far as fleshing out the framework. Sure, the BA had a lot of input into the rules by the April 2003 enactment of the Privacy portion, but the "framework", as you called it, had nothing to do with them.
5. Capping liability payouts does very little to nothing to keep insurance premiums down...insurance regulations are the only thing that keeps premiums down. When you cap liability payouts the insurance companies do not pass the savings onto the consumer, and this can be seen by analyzing the states that have passed liability caps. Now, don't get me wrong, I believe punitive damages should be capped and actual damages uncapped, but insurance companies say that unless you give them the power to determine actual damages they aren't going to be able to control costs and therefore don't pass the savings onto the consumer.

Re:Considering the recent incidents.....

[fishdan]

I work for another giant healthcare company, and I can tell you that where HIPPA is making a huge difference for us is in firings. We've let go MANY people that we'd wanted to fire for various reasons, but it's hard to fire people -- especially those who manage to be incompetent at everything except know how to fight to keep their job. Previously, even when we had a "zero tolerance for errors" (something you'd want at a hospital no?) we still could not fire people who made repeated mistakes without going through a HUGE long drawn out process.

Now, 2 HIPPA violations, and you can fire anyone.

Don't get me wrong, I don't want to fire people, and I'm not looking for a reason. But it's nice now to have a tool that shears past union complaints etc. And in talking to colleagues, they have expressed to me that HIPPA has been a godsend for them too in trimming off legacy employees who were not able to function in a modern environment, but were too "senior" to release just for being technically incompetant.

In re-reading before posting, the above sounds cold. I suppose it is, but I'm just talking about the difference that HIPPA has made for us. And great employees don't get dismissed for HIPPA violations, but in a time and place when noone can be fired with out a preponderance of evidence of incompetance, this is a nice loophole.