Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Medical Privacy Laws Highly Ineffectual

Zonk posted more than 8 years ago | from the get-effectual dept.

Privacy 133

Rick Zeman writes "According to the Washington Post, since Americans gained statutory privacy for their medical records backed by the US Federal Government (via HIPAA), the Bush administration has received thousands of complaints alleging violations but has not imposed a single civil fine and has prosecuted just two criminal cases saying that they were pursuing 'voluntary compliance.'" From the article: "'It's like when you're driving a car,' said consultant Gary Christoph of Teradata Government Systems of Dayton, Ohio. 'If you are speeding down the highway and no one is watching, you're much more likely to speed. The problem with voluntary compliance is, it doesn't seem to be motivating people to comply.'"

Sorry! There are no comments related to the filter you selected.

dinkleberry (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#15471230)

FP, you dinkleberries!

For the LOVE of GOD what is this CRAP ? (-1, Flamebait)

Anonymous Coward | more than 8 years ago | (#15471234)

For the LOVE of GOD what is this CRAP ? A clown college web page ?

Considering the recent incidents..... (1, Insightful)

Anonymous Coward | more than 8 years ago | (#15471245)

Considering the various privacy issues that have plagued this administration, most recently in the form of the whole NSA wiretapping debacle, what would make anyone think they'd give a damn about the privacy of anyone but themselves?

Re:Considering the recent incidents..... (4, Informative)

taumeson (240940) | more than 8 years ago | (#15471271)

Having been the HIPAA security officer for the Home Health division of the nation's largest protestant health organization, I can tell you we spent MILLIONS trying to be HIPAA compliant. We locked down servers and databases (encrypted data on secured databases on secured servers on secured networks). We instituted dual-factor authentication and physical security. We stressed our management application to its limits doing our best to ensure patient security and privacy.

But, again, its the individual workers who matter. Like the time I found out our billers couldn't remember their countless insurance company BBS passwords, so they had a nice spreadsheet they shared. I couldn't get rid of it, but at least I had them put it in their drawers.

Good grief? Sure, but that was HIPAA compliant.

So, please, geeks of the world, let's not bash an entire industry based on one article.

Re:Considering the recent incidents..... (2, Funny)

FudRucker (866063) | more than 8 years ago | (#15471283)

RE:"but at least I had them put it in their drawers."

ouch!

Re:Considering the recent incidents..... (2, Interesting)

taumeson (240940) | more than 8 years ago | (#15471347)

I know how awful it sounds, but think about it another way:

1. Everybody in the office was theoretically allowed to get to that patient data.
2. They NEEDED to share passwords because of how the insurance carriers set up their BBS. They only give one username/password combo out per company, but we had a dozen billers.
3. We worked in a locked office with security.

So...the information was supposed to be shared amongst the people in the office, but functionally needed to be stored somewhere because, well, "turnover". So our barrier between the patient data and the outside world was twofold:

1. Even if you had a username and password, would you know how to get my patient data off a greenscreen emulator by connecting to our AS/400 and using passthrough to get it from the government?
2. We were on an upper floor in a nondescript office building with locks.

This puts a new twist on (1)

ColdWetDog (752185) | more than 8 years ago | (#15472181)

the old aphorism

getting your panties in a bunch

Still, the OP is right. HIPAA, as with all government attempts at regulation, is a wierd, complex, inconsistent, illogical construct that underneath all of the legal mumbo jumbo, handwaving and threats, is actually trying to do something useful.

The really scary aspect of this is that it represents a significant improvement from before. From someone who has been running a small medical office with ancient, creaking paper based systems and an even more ancient, creaking electronic billing system, I for one, welcome our new (and somewhat benign appearing) medical information security overlords.

Re:Considering the recent incidents..... (3, Informative)

electroniceric (468976) | more than 8 years ago | (#15471657)

I'm also a HIPAA security officer, but for a tiny startup, so it's only a small fraction of my job. But you hit the nail right on the head here:
But, again, its the individual workers who matter. Like the time I found out our billers couldn't remember their countless insurance company BBS passwords, so they had a nice spreadsheet they shared. I couldn't get rid of it, but at least I had them put it in their drawers.
HIPAA marked a big transition in regulation because:
a) enforcement is complaint-driven, rather than having an inspection apparatus.
b) It "scales": for many provisions, you can provide an explanation why you should be able to take an alternate (less onerous) measure.
c) it explicitly focuses on management controls much more than data specifics.

As a practitioner, I think this was a good approach (note that part c was taken up in earnest by Sarbanes-Oxley). Data privacy is an extraordinarily complicated affair, and one that is still evolving. Frankly, it's not like other industries in charge of personal data (e.g. finance) have done all that well either. And regulation itself takes time to settle down. Neither of these issues were explored at all by this article. I'd say given how much HIPAA differed from other regulation, and how dynamic the situation is, the implementation timeline has also been reasonable.

Additionally, medicine is an extraordinarily fractured industry. There is no smooth "supply chain" type model for moving patients or data through the system, rather nearly every transaction is negotiated. The parent touched on this, but I'll go a bit further: a large fraction of medical transactions require human intervention to move data, and a huge amount of medical data has yet to be digitized. This is in stark contrast to physical industries like airplanes or retail, all of which have systematized many or most of their transaction chains.

I'd say the right thing to do is to give the regs more teeth by prosecuting a few of the worst offenses. Basically, make it easy to show how and why disclosures caused damaged. This will put people on notice that the government is serious about the regs. If that doesn't work, the regs themselves can be tightened up, hopefully in the context of broader data privacy legislation.

Re:Considering the recent incidents..... (1)

mccp (977696) | more than 8 years ago | (#15471997)

I work very low-level at Big Insurance Company, where every day I see nearly a thousand people's confidential medical information. The average claim is probably seen by about six pairs of eyes during its lifetime. As far as external breeches go, we keep everything locked up pretty tightly, with 24-hour security guards etc. (they cornered me in the parkinglot one night) What does anger me, is that the mainframe passwords must be 6-8 characters. They wouldn't even let me use my 16 character password.

Re:Considering the recent incidents..... (1)

Sazarac (621648) | more than 8 years ago | (#15472252)

I heartily concur. As a software developer for a hospital, we go out of the way to make sure things as secure as we can make them. We also scrutinize our designs from the perspective of HIPAA compliance. For example, we recently instituted a method that doctors could get a weekly email of their charts that they need to sign, dictate, etc. We cannot get paid until the doctors do this step. Unfortunately, we can't send individual patient info over email, even if it's on a server in our control-- therefore we have to send aggregate counts and a link back to our system and force the docs to authenticate before they can see the actual charts they are deficient on.

Basically, we are putting off getting paid by the insurance companies for the sake of protecting our patients information. Still it's worthwhile, in fact, we rate some of our project's by how many potential fines we could avoid. Even if we never get fined, we still evaluated it was though we would have from the beginning.

Also bear in mind that three years is not very long to evolve a large system of business processes into compliance. Consider how long it took some companies to get to ISO9000, and that was voluntary!

Also, from the I'm-Also-A-Customer Dept., I was hospitalized two years ago with a very severe case of pancreatitis (7 out of 8 Ranson), and due to HIPAA, the docs could only tell my parents that my chances were grim and to make arrangements for my demise. They couldn't tell my fiancee. My parents elected not to disclose that info to her or anyone else-- so every visitor I had in the ICU came in thinking I was going to be all right and I think I could sense that positive energy.

There is plenty of motion (1)

Beryllium Sphere(tm) (193358) | more than 8 years ago | (#15473002)

I'm getting revenue from HIPAA compliance efforts and a lot of people at conferences are there to talk about "how we survived HIPAA".

Here's what's worrisome, though. The most common approach to HIPAA is "what's the least we have to do to stay out of jail?". Unless there's enforcement through some channel, those HIPAA initiatives will turn into forgotten dust-covered binders.

Re:Considering the recent incidents..... (2, Interesting)

fishdan (569872) | more than 8 years ago | (#15474989)

I work for another giant healthcare company, and I can tell you that where HIPPA is making a huge difference for us is in firings. We've let go MANY people that we'd wanted to fire for various reasons, but it's hard to fire people -- especially those who manage to be incompetent at everything except know how to fight to keep their job. Previously, even when we had a "zero tolerance for errors" (something you'd want at a hospital no?) we still could not fire people who made repeated mistakes without going through a HUGE long drawn out process.

Now, 2 HIPPA violations, and you can fire anyone.

Don't get me wrong, I don't want to fire people, and I'm not looking for a reason. But it's nice now to have a tool that shears past union complaints etc. And in talking to colleagues, they have expressed to me that HIPPA has been a godsend for them too in trimming off legacy employees who were not able to function in a modern environment, but were too "senior" to release just for being technically incompetant.

In re-reading before posting, the above sounds cold. I suppose it is, but I'm just talking about the difference that HIPPA has made for us. And great employees don't get dismissed for HIPPA violations, but in a time and place when noone can be fired with out a preponderance of evidence of incompetance, this is a nice loophole.

Re:Considering the recent incidents..... (2, Insightful)

Nuffsaid (855987) | more than 8 years ago | (#15471303)

What "NSA wiretapping debacle" are you talking about? A debacle is when you are defeated. In the case of US Government spying on millions of its citizens, what happended is just that the news got out. Were they forced by public outcry to stop such activities, you could call it a debacle. But, for what I know (I'm not American, so maybe missed something) they didn't stop. US citizens lost, not the Government.

When scandals explode, it's too easy to think "Aha, they got caught! Now they HAVE to stop this!", but it's not always what actually happens. The fact that many Americans put so much faith in the power of free information speaks very well about the level of freedom and democracy they enjoyed until recently.

Re:Considering the recent incidents..... (3, Interesting)

plague3106 (71849) | more than 8 years ago | (#15471328)

The problem is that the health care facility doesn't care either.

My wife works in a hospital processing insurance. She complies with HIPPA (because privacy of her medical records is important to her), and will report the many violations she sees (technically, she could be fired for not reporting). However, her manager and upper management never do anything but give a verbal warning.

There have been some pretty major violations too. They just don't care.

I'd modify this story's title this way: (3, Insightful)

bogaboga (793279) | more than 8 years ago | (#15471265)

Since http://www.slashdot.org/ [slashdot.org] is read through out the world, I'd modify this story's title to read...

Medical Privacy Laws [in the USA] Highly Ineffectual

Slashdotters all over the world are smart enough to know that the problem with those medical records is largely a local problem. That is to say, it is a US problem and not a problem for the whole world. Here in Sweden, we have no such trouble.

Re:I'd modify this story's title this way: (3, Informative)

MichaelSmith (789609) | more than 8 years ago | (#15471284)

Here in Sweden, we have no such trouble.

I have to say I am surprised. I am sure we have it here in Australia.

Re:I'd modify this story's title this way: (2, Interesting)

stm2 (141831) | more than 8 years ago | (#15471292)

I agree. The same happens in Argentina, most medical records can be hacked, since most of them are still in paper :)

Re:I'd modify this story's title this way: (0)

Anonymous Coward | more than 8 years ago | (#15471434)

This would be opposed to nations where there isnt even a statuatory doctor patient privilege ?

The Hipaa laws are ok, they suffer from the usual problems of laws made by comittee, If you were in medical IT you would find yourself ignoring them in detail but observing them in spirit. The problem with them is that the clinton administration never put in an enforcement mechanism and the bush administration has been more concerned about its own health care initiatives (Prescription durgs, HSAs, etc)

Re:I'd modify this story's title this way: (1)

C10H14N2 (640033) | more than 8 years ago | (#15471568)

On my current project I brought up HIPAA compliance issues, primarily data encryption between remote facilities. Color me horrified when I was informed of the gaping loophole that exempted us completely from HIPAA.

"I think we're dangerously close to having a law that is essentially meaningless."

Certainly is for me.

Re:I'd modify this story's title this way: (1)

pnutjam (523990) | more than 8 years ago | (#15472691)

Just wait 'til they start balancing the budget with HIPAA fines. It will be like speeding tickets for the feds.

Re:I'd modify this story's title this way: (2, Informative)

LnxAddct (679316) | more than 8 years ago | (#15471499)

I wouldn't modify the title at all. Slashdot is a U.S.-centric site, and most of its readers are American. [slashdot.org] Having people from all around the world read it is great, but Slashdot caters to an American audience. If something doesn't state it, assume it is talking about America.
Regards,
Steve

Re:I'd modify this story's title this way: (1)

Guppy06 (410832) | more than 8 years ago | (#15471776)

"Since http://www.slashdot.org/ [slashdot.org] is read through out the world,"

Um... so? You might be able to make an argument that Slashdot should change to cater to new, potential readers, but if people are already coming here while Slashdot is still US centric, why bother?

"Slashdotters all over the world are smart enough to know that the problem with those medical records is largely a local problem."

But they're just not smart enough to know that the default location for news is the US?

"Here in Sweden,"

Should Slashdot take the next logical step in your suggestion and start publishing in Swedish?

Re:I'd modify this story's title this way: (1)

tob (7310) | more than 8 years ago | (#15473751)

but if people are already coming here while Slashdot is still US centric, why bother?

Because it makes Americans look like ignorant idiots who do not realize there's places outside the glorious US of A? If you don't care, fine, but it's something that would motivate me.

Tob

--
Slashdot, news for nerds, stuff that matters to merkins.

Re:I'd modify this story's title this way: (1)

1u3hr (530656) | more than 8 years ago | (#15474171)

Because it makes Americans look like ignorant idiots

Insularism is the least problem Slashdot has in that regard. When Taco can write:

Here people might not properly capitalize a proper noun. They might transpose letters in 'thier'. They might use jargon that isn't in oxford. And all of that is OK with me.... It's almost as if some percentage of the population wants to complain. And they will find something to complain about no matter what. Perhaps by leaving a few typos on the site, I am making their day a little easier!
http://slashdot.org/article.pl?sid=06/01/18/143218 [slashdot.org]
And he never bothered to mention fact-checking, as it's just inconceivable that he'd bother. Thus the number of absurd hoaxes published; magic energy machines; and the dupes.

But as for bringing down disrepute on the whole nation; Slashdot illustrates that every time there is an article with the word "evolution" in it.

Re:I'd modify this story's title this way: (0, Flamebait)

Luscious868 (679143) | more than 8 years ago | (#15475043)

Americans don't care about other coutnries because other countries don't matter. Deal with it.

Re:I'd modify this story's title this way: (0)

Anonymous Coward | more than 8 years ago | (#15472883)

Thats great. However, since the whole world can't simply move to Sweden, your post is totally worthless. You're lucky I spent my mod points earlier.

Re:I'd modify this story's title this way: (1)

code_honky (767548) | more than 8 years ago | (#15473045)

Come on....are you saying the no healthcare entity in Sweden has any problem with privacy? That seems a little far fetched and a tid centralist.

I call BS on bogaboga (0)

Anonymous Coward | more than 8 years ago | (#15473391)

Here in Sweden, we have no such trouble.

Probably any information about you that is stored in any computer in Sweden is available for the right price. What makes you believe otherwise?

Do you really want them to act on every complaint? (4, Interesting)

MikeRT (947531) | more than 8 years ago | (#15471280)

How many of these cases were privacy violations due to accidents, staff inexperience, etc.? Do you really want doctors getting in legal trouble over trivial violations their first time or a particular staffer's first time? That is a GREAT way to drive up their insurance costs which only benefits lawyers and the insurance industry. You, in turn, pay higher medical costs.

And whatever happened to innocent until proven guilty? This sounds a lot like the feminist tendency to say "she claimed she was rape, and women never lie about rape, thus she must have been raped." People get impassioned and complain all of the time for invalid reasons. People also complain out of ignorance, what they feel the law ought to be, etc. Broadcasting would be dead if every complaint sent to the FCC was taken at face value, and every slip of indecency were fined.

How about we work toward some real privacy like, I don't know, fighting to keep the DMV from selling our records, the IRS our tax records (they want to do that now), get laws passed making law enforcement DNA databases available only to the police and NEVER to insurance groups, the DoJ requiring mandatory data retention and things like that.

Re:Do you really want them to act on every complai (1, Insightful)

Anonymous Coward | more than 8 years ago | (#15471299)

Two problems. First, the ratio. It seems hard to believe that only two out of thousands were serious enough to prosecute. Secondly, more crucially, is the explanation given. It isn't that they've investigated the thousands of complaints and found that they don't warrant prosecution, it's that they want "voluntary compliance". Sorry, but that's stupid. The whole point of laws is that they're enforced. If you want people to play nice voluntarily then don't pass a law. If you pass a law then enforce it.

Re:Do you really want them to act on every complai (1)

yuna49 (905461) | more than 8 years ago | (#15473312)

It seems hard to believe that only two out of thousands were serious enough to prosecute.

And in one of those cases, the crime involved selling an FBI agent's medical records. Wonder why the Justice Department (in which the FBI is housed) chose to prosecute that case?

Re:Do you really want them to act on every complai (0)

Anonymous Coward | more than 8 years ago | (#15471338)

HIPPA is very very far reaching. Only you and your doctor should know your name and your medical condition, everywhere else it your name should be coded as number that other office workers cannot lookup. It's good in theory but any small private practice is run like any other small family owned business.


It's a classical example of the governement taking something simple and completely fucking it up and it's why healthcare is so expensive in the US. As it is, HIPPA will never fully be implemented, there will continue to be extensions, complaints won't be addressed and health care and insurance providers will continue to pass the costs on to the customers without actually making it "more secure." It's just like another expensive line item to pork barrel.


I'm not a socialist but at the current rate we will have to socialize medicine in the US.

Re:Do you really want them to act on every complai (1)

needlescaraway (969273) | more than 8 years ago | (#15473057)

> Only you and your doctor should know your name
> and your medical condition, everywhere else it
> your name should be coded as number that other
> office workers cannot lookup.

Because the medical assistant doesn't review labs, and the records clerk doesn't file documents in your chart, and the billing clerk doesn't handle your call about the diagnosis codes on your latest EOB...do you have any sense how health care is actually delivered, even in efficient, high-quality places that are fully HIPAA-compliant?

Re:Do you really want them to act on every complai (0)

Anonymous Coward | more than 8 years ago | (#15471358)

Doctors, especially in the US, have money. They can easily cover a fine of say, $200. It doesn't increase their costs greatly, but at least it does give the impression that the laws are to be taken somewhat seriously, and will be enforced.

If your private information is compromised, I don't think you'd really give a fuck if it was due to some staffer's inexperience or an accident. The end result is that you've got to deal with your credit card information being used improperly, or you have to deal with your identity being used by a criminal somewhere else, or a myriad of other problems.

As for increasing costs, proper enforcement of this legislation may actually decrease expenses. It likely takes far more time and money for somebody to clear up a case of their credit card information being stolen and used to make purchases, than it does for a healthcare provider to secure its patients' information.

Re:Do you really want them to act on every complai (0)

Anonymous Coward | more than 8 years ago | (#15472312)

Yes, in fact, you do want to act on them. Note that act does not mean "assume the complaint is valid and slap a huge fine on the company"; but it does mean investigate and take appropriate action per the law.

I don't care if an offense was "accidental"; this is serious stuff, and the companies entrusted with this information need to take seriously the charge of protecting it. Being careless enough to "accidentally" divulge protected information should not be accepted.

Now a variation on that: In these early years of the law, when its meaning is unclear, it is reasonable that a company acting in good faith but failing to understand the requirements might get off with a light fine or a warning for the first couple offenses. But that still requires that complaints be investigated and acted upon.

See, absent an active regulatory environment, nobody knows exactly what these laws mean. That's why some leniency makes sense early on; but if that leniency is extended to the point of turning a blind eye, then the companies have no way to learn what the law does, in fact, mean. Spend $billions to enforce what your legal department thinks HIPAA means, and that still doesn't mean you've really captured what you're supposed to be doing. Keep in mind who pays your legal department; they're going to try to tilt their interpretation as far as they can without getting you in legal trouble, and if there's no enforcement, then the net result will be there might as well be no law.

Now, let's suppose that legal somehow figures out what the law means, and in spite of seeing the lack of enforcement the company nonetheless constrains itself to setting policy according to the law. Still no good without enforcement. Corporations are big places. Even when the company as a whole spends huge sums of money on compliance, the law will not truly be effective until the entire company's structure is on board, down to the PM's at least. I can tell you absolutely that when a project gets under pressure, the sentiment comes out that it's ok to skimp on HIPAA compliance because nobody is getting in trouble for violations. Sure, every professional "should" take the stance of "it's the law, so that's that"; but if there's no enforcement, that doesn't happen.

Re:Do you really want them to act on every complai (2, Interesting)

Aram Fingal (576822) | more than 8 years ago | (#15472681)

One case which I can comment on (up to a point) is one which I was involved in. There was a period, a while back, where we were just beginning to realize the extent of the spyware problem on PCs and we started to install two or three different antispyware applications on each machine. In this process, we discovered that two of our medical transcriptionists had been infected with keylogger trojans which were sending data to an internet marketing company. This, of course, had to be reported as a HIPAA violation. The authorities did nothing as a result of the incident but we started to take security more seriously anyway.

I had previously argued that these computers should use a particular set of secure, internal, non routed IP addresses which are available on our network (we are part of a large university). In the rush to get the new system going, the people who installed the workstations, had used the regular, less secure IP addresses (which don't require proxies to access the internet). It was surprisingly difficult for me to convince people that using these internal IP addresses was necessary because antispyware software will never be able to catch everything. Not to mention the other security benefits of not being directly visible from the internet. I think many people just don't grok the concept.

These computers were eventually moved to the secure IP address range (with proxy access denied as well) and other additional measures were taken to secure them but I don't think that would have happened without the reporting requirement of HIPAA. Still, it's surprising that there wasn't any more reaction from the authorities. My guess is that they were just swamped with similar reports.

Re:Do you really want them to act on every complai (2, Informative)

budgenator (254554) | more than 8 years ago | (#15473709)

It's hard to figure out what's a violation and what isn't; in a 12 mile radius of me there are 7 people with the same first and last name as me, 3 of those people have the same middle initial. Obviously the release of my name wouldn't really be personally identifying, however if my name was qvidis.... it would.

This HIPPA stuff is affecting patient care right now. 3 weeks ago I burnt my hand at work, so the boss drives me to the Port Huron Hospital ER (newly remodeled for increased HIPPA compliance); there is no triage any more because that's HIPPA sensative data. My pain on their scale of 1 to 10 is about 18, I've got about a square inch of skin just flapping in the breeze, my knees are starting to buckle and the info clerk is explaining to another person how to get to the third floor! Eventually I get to be seen in the ER proper, they start an IV push some morphine into it which takes my pain from 18 to 9, cover my burn with gauze and sterile saline and ask me when I had my last tetanus shot. My personal doctor's office has all of the admin stuff done by Mercy hospital, the records are supposed to be available 24-7, so I get a tetanus booster I don't need in the other arm and they call an ambulance to transfer me to the burn center at Detroit Receiving Hospital. I get to DRH's ER give them all of my data which is inputed into their New computer system, get taken up to the burn center only to not be in the computer system, and have the burns deroofed and debrided ( the definition of pain is yet again expanded for me) and sent down to a bed on a med-surg unit. I remember looking at the clock after I burned my hand and it was 6:05 PM thurs., it's now 3:45 am on friday and I'm not in the new computer system, I guess they can't release personal data that can't be found!

It gets even better (3, Informative)

plopez (54068) | more than 8 years ago | (#15471404)

Check this out.

http://www.consumerist.com/consumer/irs/breaking-i rs-archive-control-sold-to-lowest-bidder-177771.ph p [consumerist.com]

Talk about your privacy in jeapordy. How long before these records end up on an insecure server, or off shored to where people don't give a crap and sell the information. Identity theft anyone? How is keeping records secure *not* a core function?

Every day I wake up amazed at the sheer stupitiy around me.

Re:It gets even better (0)

Anonymous Coward | more than 8 years ago | (#15471550)

...or off shored to where people don't give a crap... *cough*MetLife*cough*

Why HIPPA is broken (4, Interesting)

callistra.moonshadow (956717) | more than 8 years ago | (#15471417)

Case in point: My father was hospitalized and I was called to approve treatment over the phone. The ER personnel never gave me the HIPPA security code. Later I called to check on his status. The nursing desk staff refused to give me that information citing HIPPA. Uh...they called me as medical power of attorney to give permission to treat him yet they never gave me the top-secret security code. When I pointed out how ludicrous that was they just used HIPPA as the reason to not give me my dad's health status. I managed to bypass the idiocy with the use of said Protected Healthcare information to get the information requested. It just shows that laws are made by the powers, but the analysis of the use-cases that will interact with the laws have not been given the proper review for the cases that are exceptions. So, all that said, nothing surprises me.

Re:Why HIPPA is broken (2, Informative)

jdoc (216868) | more than 8 years ago | (#15471559)

Let me give you a doctors perspective: HIPPA was created and implemented to, among other things, control the outrageous number of frivolous lawsuits arising from "breeches of privacy". Yes, it helps with privacy issues in medicine, and is needed for said reason. The lawsuits became a real burden in the 90's, just when medical malpractice lawsuits skyrocketed, as did insurance premiums. The Clinton's just sat back and watched, which doesn't surprise me- they've always been anti-doctor (I still remember that famous tour of American hospitals that Hillary went on in the early 90's, in order to see what needed to be done to improve our medical system. Her conclusion? "Doctors make too much money". She opened the floodgates to HMO's, and brought us dangerously close to socialized medicine. Our situation has somewhat stabilized now that Bush has at least spoken up for doctors, but the lawyers and insurance companies, in the meantime, have cleaned house and set a dubious precedent for lawsuits and reimbursements in medicine). HIPPA curbed the rate of lawsuits which were based on the privacy issues, but put restrictions on ALL communications between health care providers and the general population. The rules set forth by HIPPA are confusing at best, so the general attitude is, "don't tell anybody anything about anyone". It's better to deal with a disgruntled patients relative or power of attorney then it is to deal with government fines and expensive lawsuits. It doesn't surprise me that nurses aren't more forthcoming with medical information. Also, someone mentioned the Bush administration's cavalier attitude towards privacy issues. This really has nothing to do with the Bush administration. At least his administration laid down the framework for a privacy laws, which HELPED medicine, which is more than I can say for the Clintons. As far as enforcement is concerned- hospitals will handle issues locally at first. The government won't get involved until a lawsuit is filed, and then it'll come in the form of penalties to the hospital. I dread the day that Hillary gets into office, as do many other health care providers.

Re:Why HIPPA is broken (2, Insightful)

Bored George (979482) | more than 8 years ago | (#15471647)

Thanks for the tried and true GOP talking points: First, there's no problem here, move along. Second, if there is a problem it is because of the Clintons (or "Clinton's", if you prefer). Nicely done. Your tax cut is in the mail.

Re:Why HIPPA is broken (1)

jdoc (216868) | more than 8 years ago | (#15472010)

Nice, mature post. Do me a favor, before you vote next time, do some research on this issue, if it concerns you so.

Re:Why HIPPA is broken (0)

Anonymous Coward | more than 8 years ago | (#15473749)

Your orignal post just wasn't well written. It comes off as literally a GOP/FOX News talking point. Maybe you did research the topic, but you let your e-feelings show a little too much. I bet you're a white, republican, christian. Am I right? Tell me more about your thoughts on border legistlation.

Re:Why HIPPA is broken (4, Insightful)

callistra.moonshadow (956717) | more than 8 years ago | (#15471740)

Sure, I agree that there are reasons for HIPPA. I used to work at a firm that required HIPPA certification and I hold a current HIPPA cert. What is troublesome is how the HIPPA laws are used to either avoid dealing with things that are broken, or that they don't necessarily protect the so-called protected information. It could also lead to a person's death if not handled by someone that can bend the rules when the exceptions arise. That's what has me concerned - the lack of a plan for when things don't flow through the gates as expected. It has nothing to do with which adminstration is in power and everything to do with what makes logical sense. The way a hospital enforces HIPPA is broken - at least in my opinion from personal experience.

Re:Why HIPPA is broken (1)

Beryllium Sphere(tm) (193358) | more than 8 years ago | (#15472821)

>It could also lead to a person's death if not handled by someone that can bend the rules when the exceptions arise. That's what has me concerned - the lack of a plan for when things don't flow through the gates as expected

Fortunately HIPAA explicitly requires (black and white) that there be an emergency override procedure in place.

Re:Why HIPPA is broken (1, Flamebait)

Garg (35772) | more than 8 years ago | (#15473349)

...I hold a current HIPPA cert.

Wow, you got a cert and you can't even spell HIPAA? And people here talk about MCSE's!

Re:Why HIPPA is broken (2, Interesting)

taumeson (240940) | more than 8 years ago | (#15473886)

1. Why the hell do people keep calling HIPAA HIPPA? There are two A's, not P's.
2. There are more lawsuits for "breeches of privacy" than from before HIPAA....I suppose the argument can be made that they're not "frivolous", but I just wanted to point this out.
3. Some Doctors do make too much money. I know of doctors worth over 100 MILLION. I can't see a big difference between what they did (the one I'm thinking about died a few years ago) and what my GP does. And when it takes a 2 MILLION dollar starting bonus just to get a crappy cardiologist in the door, well things might be out of wack.
4. HIPAA was passed in 1996...way before the Bush Administration was put into power. As you should know, March and October 2001 were important milestones for HIPAA, neither of which you can give the Bush Administration any credit over as far as fleshing out the framework. Sure, the BA had a lot of input into the rules by the April 2003 enactment of the Privacy portion, but the "framework", as you called it, had nothing to do with them.
5. Capping liability payouts does very little to nothing to keep insurance premiums down...insurance regulations are the only thing that keeps premiums down. When you cap liability payouts the insurance companies do not pass the savings onto the consumer, and this can be seen by analyzing the states that have passed liability caps. Now, don't get me wrong, I believe punitive damages should be capped and actual damages uncapped, but insurance companies say that unless you give them the power to determine actual damages they aren't going to be able to control costs and therefore don't pass the savings onto the consumer.

More than you know: you *are* a number (3, Insightful)

Just Some Guy (3352) | more than 8 years ago | (#15472301)

According to HIPAA, at least as of a couple years ago, no privacy violation was too small. Including, say, a nurse coming to the waiting room and asking for "Mrs. Smith". After all, Mr. Jones sitting next to her would then know that woman's name. Instead, the only proper method for calling patients back to the treatment rooms is installing one of those "take a number" dispensers, then calling patients by number.

Never mind that we live in a small town where Mrs. Smith and Mr. Jones went to kindergarten together and come from families that have been here for 150 years. And forget that my wife is a podiatrist and that visiting her isn't inherently compromising (unlike, say, sitting in the lobby of a clinic for sexually transmitted diseases).

So, according to HIPAA, my wife is breaking the law each and every time she treats her patients like people instead of numbers. We haven't had a complaint yet and don't expect to, but could technically be busted for violating Mrs. Jones's privacy at any moment.

Re:More than you know: you *are* a number (1)

Pendersempai (625351) | more than 8 years ago | (#15473218)

So why doesn't your wife call for number 352 from the lobby, and then ask Mr. Smith how he is once he is out of the public waiting room? That way she could protect his privacy, not break the law, not be open to liability, AND treat him like a human. I don't think it's your wife's place to decide that Mr. Smith's comfort at the moment of being called out of the waiting room supersedes his right to medical privacy. Maybe nine out of ten -- or even 999 out of 1000 -- Mr. Smiths agree with your wife's decision, but we have privacy laws to protect the sometimes very small minority who really do want or need their privacy protected.

Re:More than you know: you *are* a number (1)

Just Some Guy (3352) | more than 8 years ago | (#15473332)

So why doesn't your wife call for number 352 from the lobby, and then ask Mr. Smith how he is once he is out of the public waiting room?

Because her patients expect to be treated like humans and humans don't like being called by number. In her practice, patients tend to be retirement age or older (except for the occasional younger person with a broken toe, etc.). That population would not react well to being numerically processed.

She's much better off business-wise to upset the one person who's not used to the standard procedure at every doctor's office they've ever been to, than upsetting the 99.99% of her patients who like being recognized as a person with a name. You can argue about whether a practice should be run as a business, but if she drives off 50% of her clientele, then she won't be able to serve the other 50% at all.

Re:More than you know: you *are* a number (2, Informative)

taumeson (240940) | more than 8 years ago | (#15473729)

Names aren't Protected Health Information. You can call them out any time and not get in trouble.

Re:More than you know: you *are* a number (0)

Just Some Guy (3352) | more than 8 years ago | (#15473753)

Names aren't Protected Health Information.

That depends on your interpretation. By using names, you're theoretically announcing that Mrs. Smith has some unknown medical condition worthy of seeing a doctor. I think it's stupid, but I've been told exactly that by a compliance auditor.

Re:More than you know: you *are* a number (1)

peacefinder (469349) | more than 8 years ago | (#15474295)

If what your auditor is saying were correct, you could not have a waiting room. Everyone there is presumably there for some medical reason or other, and they can see one another for chrissakes. And we all know that patient images are PHI... You'd have to herd them into separate cells as they arrive, and keep any visitor to the office from seeing any other.

It's daft. I hate to say it, but your compliance auditor has something to gain by making things seem more difficult than they really are.

Remember that HIPAA is a complaint-driven process. The patients don't sue you directly, but instead take a complaint to the civil rights office. If the civil rights office takes action against any provider anywhere on a complaint of a patient name being called out in the waiting room, I'll buy your auditor lunch.

In the meantime, get a new auditor.

Re:Why HIPPA is broken (2, Informative)

peacefinder (469349) | more than 8 years ago | (#15474186)

Speaking as someone who keeps a copy of the HIPAA regs ready to hand, I can say that what you describe is not a problem with HIPAA. Instead, it's a problem with that provider's stupid implementation. There is no "HIPAA security code" in the law.

If you're involved in the patient's care, they are allowed to release information to you. They do have to have "reasonable belief", when releasing information, to verify that you are who you say you are and that you are actually involved in the patient's care. But the mechanism by which they confirm your identity doesn't have to be especially difficult. Asking you to provide the patient's full name, date of birth, and maybe one piece of other information should be more than sufficient.

Re:Why HIPPA is broken (1)

Luscious868 (679143) | more than 8 years ago | (#15475068)

Perhaps HIPPA is broken because the goverment can seldom do anything correctly except for collecting taxes.

Laws Not Enforced, my story (5, Interesting)

tiltowait (306189) | more than 8 years ago | (#15471442)

Last year my health insurance company, in response to a billing dispute, send me a full page from their billing database. The record for my family took up just one paragraph, and above and below it I could see other patient names, billing codes, account numbers, and more.

I asked them to explain this, and got no response. I sent the sheet of paper to the US Department of Health & Human Services. A few months later I got a letter back in the mail from them, stating that they had investigated the situation, the provider (Humana) admitted making a mistake which resulted in a privacy violation, and they weren't going to do a damn thing about it.

So, I'm hardly surprised by this article. Still it's sad to see I was in the 73 percent of cases.

Re:Laws Not Enforced, my story (0)

Anonymous Coward | more than 8 years ago | (#15472387)

Pansy. You should have sent letters to the other patients on the form, then they'd have done something.

Re:Laws Not Enforced, my story (1)

HungWeiLo (250320) | more than 8 years ago | (#15472476)

I don't know what it is - but throughout my working history, I've never worked with people as incompetent as medical billing staff.

At an annual auction fundraiser for a local hospital, I had the pleasure of giving a group of these people a 3-hour training to learn how to fill out a simple GUI with just 3 pieces of information: the item number, the price, and the name of the winner bidder. So it didn't surprise me when some study showed that up to 40% of current medical costs could be shaved off if all hospitals integrated their medical billing/patient histories systems and automated portions of their billing/insurance procedures.

Re:Laws Not Enforced, my story (1)

Moofie (22272) | more than 8 years ago | (#15473541)

Unfortunately, the insurance companies do not want efficient billing systems. The longer they can delay paying the claim, the longer they get to hold on to the money, and the more interest they collect.

Software and Policies are at fault (4, Interesting)

SpaceBass (57416) | more than 8 years ago | (#15471484)

First, there is a LOT to HIPPA to understand. People often think any discussion of their medical history is a violation. The truth is you sign a lot over when you sign HIPPA wavers. For instance, the right for your care giver to discuss anything about you with any other potential care giver (often)...you want this, trust me.

One of the areas that does continually suprise me is that medical records are stored, transmitted and displayed all in clear text. Some of the major manufacturers of the healthcare software often use FTP (not Sftp) to exchange records with their customers. Even internally with in a hospital, records are transmitted from one system to another in clear text.

If you want security, ask your care give how they are protecting your electronic records.

Re:Software and Policies are at fault (0)

Anonymous Coward | more than 8 years ago | (#15472288)

Sorry about the AC, but I'm posting this from work.

HIPPA implementation is difficult, but there are plenty of places that are doing it successfully. Take my company, for example. We are one of the entities that hospitals share HIPPA data with.

My company http://www.ifmc.org/ [ifmc.org] collects hospital quality data from health care providers across the USA. We use a secure network to collect this information and store it encrypted in secure facilities.

I'm not naive enough to think that we're 100% bulletproof, but we ARE compliant with HIPPA, and we take care of your health care data as well as any U.S. bank protects your financial data.

Re:Software and Policies are at fault (1)

Beryllium Sphere(tm) (193358) | more than 8 years ago | (#15472874)

>One of the areas that does continually suprise me is that medical records are stored, transmitted and displayed all in clear text.

HIPAA calls for encryption.

It's an "addressable" requirement, which means you can skip it if you
- document why you don't need to or can't do it
- develop your own security measure which is just as good
- collect and store evidence that your security measure is just as good

In practice my clients are treating encryption as a requirement.

Re:Software and Policies are at fault (1)

Aram Fingal (576822) | more than 8 years ago | (#15474159)

The official policy here is that we don't need encryption for network communication as long as it is within our LAN or between us and the hospital which we are associated with. The policy says that being on a switched LAN is good enough to prevent packet sniffing. Our main medical records system uses old fashoned Telnet but also works with SSH. No one is bothering to switch the client software over to SSH because it isn't officially necessary.

Similarly, we do not require encrypted storage of data for machines within our facilities but, if you take a disk or portable outside the complex, the data has to be encrypted or the device has to be locked in a box.

Re:Software and Policies are at fault (1)

forkazoo (138186) | more than 8 years ago | (#15473788)

First, there is a LOT to HIPPA to understand. People often think any discussion of their medical history is a violation. The truth is you sign a lot over when you sign HIPPA wavers. For instance, the right for your care giver to discuss anything about you with any other potential care giver (often)...you want this, trust me.

One of the areas that does continually suprise me is that medical records are stored, transmitted and displayed all in clear text. Some of the major manufacturers of the healthcare software often use FTP (not Sftp) to exchange records with their customers. Even internally with in a hospital, records are transmitted from one system to another in clear text.


I work in a field which deals with HIPAA. We sometimes recieve emails from other organisations which contain sensitive information. The author of the email sometimes just declares "This is a secure email" and says that any response on the sensitive subject must also be sent securely. Unfortunately, I've never found anything at all out of the ordinary about those emails that are declared to be secure. We don't have any decruption software on our mail server, or anything. We have no idea what causes these people to believe that they are sending things securely.

But, I honestly believe that at least some subset of them somehow believe they are doing something. So, ignorance is a huge huge danger. Most of the people who deal with secure information just have no background at all in security, and no idea what they are doing with the information.

I try to explain to my users that "Email is like sending mail in a see-though envelope." It seems to get the point across more directly than trying to talk about plaintext and encryption. They actively *don't* want to learn about that stuff, so any effort to explain it, no matter how simple, tends to be a failure.

So, don't expect that FTP and the like will be going away any time soon. Assume that all your personal information is out there, readily available to anybody who takes an interest. Assume everybody who deals with your personal information means well, but also assume that they have all the capacity to protect you information as a dim witted monkey who had his skull smashed in with a gold brick.

Re:Software and Policies are at fault (1)

peacefinder (469349) | more than 8 years ago | (#15474324)

A slightly easier analogy is "Email is like a postcard" and "Encryption is like an envelope".

Medical Piracy? (0)

Anonymous Coward | more than 8 years ago | (#15471552)

When I first read the title, I thought it said "Medical Piracy Laws ...". The wierd things is, the title still made sense to me.

Go figure.

Lazy /. Editors Create False Headlines (3, Informative)

Bored George (979482) | more than 8 years ago | (#15471572)

RTFA! This is not about "laws", it's about one law: HIPAA. And it's not that the law is "ineffectual", it's that enforcement of the law is virtually nonexistent.

Re:Lazy /. Editors Create False Headlines (1)

a55mnky (602203) | more than 8 years ago | (#15471715)

HIPAA is the defacto standard law for protection of medical records - further if you RTA, you will see that The Washington Post does not mention HIPAA by name until the 354th word of a 1200+ word article.

In any case, a law that is not properly enforced IS ineffectual.

Re:Lazy /. Editors Create False Headlines (0)

Anonymous Coward | more than 8 years ago | (#15473347)

In any case, a law that is not properly enforced IS ineffectual.

The next time that you get pulled over for speeding and the officer gives you a warning, tell him that he's being ineffectual and you demand a ticket.

(Posted anonymously so that I don't have to see the drivel that masquerades as intelligent arguments to my posts)

Re:Lazy /. Editors Create False Headlines (1)

Aqua_boy17 (962670) | more than 8 years ago | (#15472094)

IMO, failure to enforce a law does not make the law ineffecual, but it does do so to those who are tasked with enforcing it. The cynical side of me thinks that perhaps since this law was enacted during the Clinton administration that the current leaders are simply not all that interested in enforcing its provisions.

That said, and as someone who works in healthcare IT, I can substaintiate a post further up that stated that this law cost many health care deliverers millions upon millions of dollars to implement. And all of this with results that are at best spurious. To top things off, many people don't know that dentists for some reason were exempted from the law's provisions which makes no sense to me whatsoever. But then we're talking beauracracy here so I guess I shouldn't expect it to make sense.

Another point worth making is that if you look at the title of the law, it was originally supposed to be about making sure that employees could take their health insurance with them when they changed jobs (key word: portability). Instead, the thrust of the law morphed into this massive labyrinth of privacy regluations. This is patently absurd. A person's right to privacy is no different in health care than it is in any other business sector. Personal information should be protected whether it's used at a bank, a gas station, a physician's office or an emergency room.

Driving a Car? (1)

VorpalRodent (964940) | more than 8 years ago | (#15471602)

It's not enough that we get numerous automovie analogies on Slashdot - now we get them in the articles as well. I expect the next step is the "+1, Car Analogy" mod (or -6, as the case may be).

Re:Driving a Car? (1)

jd (1658) | more than 8 years ago | (#15474267)

It could be a neutral mod - +0 - Car Analogy. In fact, you could have a whole range of descriptive mods. These would be useful when the score is appropriate (so you don't want to give it a +1 or a -1) but the classification just doesn't fit. These could include a +0 on-topic, +0 mostly harmless, etc.

Practical nonsense.. (3, Funny)

jpellino (202698) | more than 8 years ago | (#15471623)

After a year long bout with several parallel ailments, my GP asked me how I was, and I replied "except for the writer's cramp, just fine". Every visit to a MD office now requires that you fill out and sign the form that swears they promised under HPPA not to divulge anything (maybe not explicitly required but it seems everyone's in CYA mode on every visit).

As he observed, "What do they think I'm going to do - run out into the parking lot and yell to passers-by 'You'll never guess what Pellino's got...!'"

And as I observed - you get three or more seniors in the waiting room, and no matter how the small talk starts, it always becomes a grand exposition of their ailments. "Huh! You don't know from gallstones! I should be so lucky to just have your gout!" and on and on and on...

Re:Practical nonsense.. (2, Informative)

peacefinder (469349) | more than 8 years ago | (#15474398)

"Every visit to a MD office now requires that you fill out and sign the form that swears they promised under HPPA not to divulge anything"

Then your provider needs to get a clue.

You only need to sign one HIPAA "Notice of Privacy Practices", once, for each provider. If they give you a second one, it's because their NPP was revised, or they've lost track of the fact you've already got one.

The NPP shouldn't ever ask you for anything or limit any of your rights if you sign it. It exists to inform you of the clinic's policies, and that's all. You sign only to acknowledge that you got a copy. You don't even have to sign an NPP; you can refuse it.

If they give you anything at each visit and tell you that you must sign it due to HIPAA, you'd better read it very carefully and they had better have a very specific reason for asking you to sign. It sounds to me like they're either being inept ot sneaky.

HIPAA Protect you from everyone but the government (2, Informative)

hagbard5235 (152810) | more than 8 years ago | (#15471713)

While it's distressing that HIPAA is essentially seeing no enforcement, I find it more distressing that while it hinders movement of my medical information among my providers (requiring forms be signed by me, etc) it explicitely allows any law enforcement agent to waltz in without a warrant and assert without evidence that I am a suspect or victim in a crime and thus obtain my medical records.

Everytime I hear someone throwing a fit about being able to obtain a warrant to get my library records I think of this. Funny how no one notices MASSIVE give aways of your privacy rights under democratic administrations. Oh, and look up 'know your customer' sometime too :)

Re:HIPAA Protect you from everyone but the governm (1)

nancypants (953923) | more than 8 years ago | (#15473060)

I work in a pharmacy, and I can vouch for this. You know how pseudoephedrine became a controlled substance? Well, we now have to log all sales of it, including purchaser's name and address, and how much of the crap he bought. Police don't have access to your prescription records without a warrant, I'm pretty sure, but they can just come right in and check the PSE records. It makes me grind my damned teeth whenever I have to fill out that log book.

Compliance is Audited (2, Insightful)

ec_hack (247907) | more than 8 years ago | (#15471759)

Most major health care organizations use outside auditors to look at privacy compliance. It is taken very, very seriouly by hospitals and the other organizations. My wife has dealt with the auditors at the ambulatory surgery center where she practices. They have made all kinds of nit-picky changes to their procedures, many of which make no sense. Example: when patients with dentures or retainers go in for surgery, they have to take the appliance out and it is placed in a plastic container of water. The container has a label from the medical records printout attached. After the patient leaves, procedure was to throw the empty plastic container in the medical waste bin for disposal by burning. The auditor demanded that they peel the label off after use and shred it.

My late father had to have an outside auditor survey his office in order to remain on the list of authorized providers at several major insurance companies.

The regulations are ambiguous as can be, so violations are going to happen until the appropriate practices are worked out.

HIPPA != HIPAA (2, Funny)

TX297 (861307) | more than 8 years ago | (#15471761)

HIPAA = Health Insurance Portability and Accountability Act (of 1996)
HIPPA = Hippopotamus. With an A.

STOP SPELLING IT "HIPPA"!

But... but... (1)

jd (1658) | more than 8 years ago | (#15473989)

...it's so HIPP!

Speeding (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#15471830)

That's strange, because I would probably say I am going to probably have lower top speeds when I am alone on the road as opposed to having some cars around me. Out here in New York, if the highway is open, I'll set my cruise control to about 5-7 miles over the limit. I feel like I will definitely be pulled over if a cop sees me speeding alone. However, if there are cars around, I'll speed through at 10-20 over the limit (sometimes more), because everybody else around me is going that speed.

How that applies to the analogy, I have no idea.

Why private rights of action matter (4, Informative)

sweetnjguy29 (880256) | more than 8 years ago | (#15471943)

This is a classic case of why consumers should have a private right of action to sue in court under the civil law. HIPAA does not allow individuals to sue a hospital or doctor for violations of the statute. (However, a stricter State statute or privacy or contract law might allow a suit)

There is a growing trend in U.S. Federal Law that grants people rights, but does not allow them a remedy if there is a violation of these rights. This is a direct outgrowth of 20 years of conservative Supreme Court rulings that have gutted the power of the Judiciary to provide remedies for violations of the law.

The thought process is "well, Congress said you have a right to have your information kept private, but didn't explicitly say that anyone besides the State can enforce this remedy, so oh well, your screwed if the government doesn't want to do anything."

This thought process is not only unjust, but goes against 500+ years of legal of Common Law. Where you have a right, you should always have a remedy. It is an axiom, and 20+ years of Republican Judicial Activists have destroyed this notion. It is not right, and it is not fair. And it is not conservative. It is radical and undemocratic, and goes against the rule of law.

See: http://www.privacyrights.org/fs/fs8a-hipaa.htm [privacyrights.org] and http://www.healthlawtoday.com/hipaa/files/righttos ue.htm [healthlawtoday.com] and http://www.abanet.org/buslaw/blt/2001-11-12/meade. html [abanet.org]

Re:Why private rights of action matter (1)

Beryllium Sphere(tm) (193358) | more than 8 years ago | (#15472905)

>HIPAA does not allow individuals to sue a hospital or doctor for violations of the statute.

Lawyers are good at finding workarounds.

Don't know how the case turned out, but someone filed a negligence suit (not a HIPAA suit, you're right that those can't be done) on the grounds that the legal "duty of care" now includes following HIPAA.

Re:Why private rights of action matter (1)

Pendersempai (625351) | more than 8 years ago | (#15473258)

I absolutely agree with you. But if a cause of action were created and people started suing, a bunch of short-sighted slashdotters would begin screaming and crying about how overly litigious our society has become, while only today they wailed and moaned about how our rights are not being protected. Litigation is one of the crucial, crucial enforcement mechanisms of some of our most sacred rights, and I wish more people would realize this. There are frivolous suits, yes, but overall the effect safeguards much of what we hold dear in this society. I think you are 100% correct that there should be a citizen suit provision in HIPPA, and of course it's no surprise that companies stop caring about the law when there are no citizen suits and the administration decides not to enforce it.

Re:Why private rights of action matter (1)

Animats (122034) | more than 8 years ago | (#15474620)

There is a growing trend in U.S. Federal Law that grants people rights, but does not allow them a remedy if there is a violation of these rights. This is a direct outgrowth of 20 years of conservative Supreme Court rulings that have gutted the power of the Judiciary to provide remedies for violations of the law.

Actually, it's an import from the law of the former Soviet Union, which had many unenforceable rights in the Soviet constitution.

HIPAA's unintended consequences (4, Informative)

Wilf_Brim (919371) | more than 8 years ago | (#15472178)

As a practitioner, let me say that HIPAA is being fairly actively enforced. There are some fairly bone headed breaches from time to time, but there are bone headed privacy breaches in every industry. I can tell you that there have been incredible unintended consequences. First, millions to billions have been spent (and are continuing to be spent) on HIPAA compliance. For the most part, this is money spent nominally on health care that is completely administrative in nature. Ever wonder where all of that 13% of the GDP spent on health care goes? A bunch of it is being spent on HIPAA compliance offices, with 4-6 FTEs being spent training, and doing paperwork. Not a terribly cost effective way of improving health care. Second, everyone now is safety wired into the "don't tell anybody anything" position. If your spouse is in the hospital, and you do not have a designated HIPAA compliant health care proxy, you (by HIPAA rules) don't get to know anything, other than where she/he is. No diagnosis, no prognosis, not what happened, nothing. If he/she didn't or wasn't able to make the designation in writing on admission (i.e. was run over by bus) you will need to jump a bunch of legal hurdles to get the information released. As a medical consultant, it is very hard for me to get information from people trying to refer patients to me. Too often I get the "I can't tell you that; HIPAA" line. Although, to be honest, this is a misinterpretation of the law, but many institutions have taken the view that "unless I have a piece of paper which explicitly states I can release information to you, I'm not telling you crap".

Re:HIPAA's unintended consequences (2, Insightful)

jdoc (216868) | more than 8 years ago | (#15472308)

Well said. I've been practicing medicine for about 10 years, and I've seen my share of mishaps regarding privacy (even today). The hospital I currently work out of is very strict when it comes to privacy, and the punishments are, for the most part, pretty harsh. But violations, as I've said before, are handled first at a local level, ie the hospital administration, unless a lawsuit is filed. So punishments tend to be non-publicized, but are still appropriate. The public don't hear about remedies unless they're brought to the federal level, so this may skew the effectiveness of HIPAA regulations in general. I'm not sure about this, and I couldn't post any figures that may back this up, but it may be a reason why some think that HIPAA is ineffective. I can tell you that the regulations are confusing, and it HAS increased the cost and decreased the efficiency of the healthcare system in this country- a lot of extra work, paperwork, processing time....

Warranties (2, Informative)

Aram Fingal (576822) | more than 8 years ago | (#15472228)

I think the thing with HIPAA is that it takes time for it to improve security and privacy. Basically, you can handle it however you want as long as you justify your decisions in writing as being "reasonable." Reasonable security might mean that it would cost so much to do things more securely that it would adversely affect service. There are so many small niche markets for medical information software that your reason for poor security may simply be that you only have two or three vendors who serve your specialty and they all have poor security. Many of these applications were created before security was taken as seriously as it is now and many were designed for isolated LANs but are now being connected to the internet. I hope that the bar will be raised by those people who go the extra mile. Then the standard for "reasonable" will eventually become something which really protects privacy.

This goes to the topic of software warranties. Most medical informatics software come with something like a "statement of HIPAA compliance." which basically says that the vendor has designed the software in a way that it can satisfy HIPAA if you do your part to make it secure. This is fine in itself. The problem is that these applications don't run in isolation. You need an operating system to run them on and they quite often only run on the operating system with one of the worst security track records in the business. They may also depend on other application software. For example, one which I work with uses Microsoft Word and Word Macros to handle reports from the database. It was designed that way in order to allow the integration of third party options like speech-to-text from a variety of vendors. The thing is that Windows and Word don't come with any statement of HIPAA compliance. They follow the common practice in the software industry of disclaiming all warranty including against negligence.

 

Medieval privacy (0, Offtopic)

Yvanhoe (564877) | more than 8 years ago | (#15472472)

I swear I read at first the news as 'Medieval Privacy Laws...' damn associative memory

They bypass it legally. (2, Informative)

r00t (33219) | more than 8 years ago | (#15472550)

Want insurance?

You must sign a waiver of your HIPPA rights. You agree that data given to the insurance company will not be subject to HIPPA regulations.

Seriously, read the fine print. HIPPA does not exist unless your insurance company was unusually dumb. HIPPA is nothing until the law prohibits waiver of rights.

HIPAA doesn't protect your info where it matters (0)

Anonymous Coward | more than 8 years ago | (#15472800)

The best thing about HIPAA is that the notifications you get tell you how little privacy you have.
So the next time you are answering profile questions be sure to remember that answering yes to use of an illegal drug may result in a no knock search of your premises if you piss off anyone in the government.
When medical data is treated like Lawyer Client privilege used to be before Bush, then you will have medical privacy.

No problem in Australia either (1, Informative)

Anonymous Coward | more than 8 years ago | (#15473003)

In Australia, practioners do not receive or ask your health insurance about how much cover you have. They give you the bill and it is up to you to organise paying it (between you and the health insurance company.)

In America, every medical facility that you want to claim through your health insurance appears able to access basic health insurance information such as how much you have spent "this year". What a joke.

Roll over citizen John, ACME Inc wants to make a buck and you're not allowed to have any privacy.

The trouble with HIPAA (1)

jhylkema (545853) | more than 8 years ago | (#15473259)

is that it contains no private right of action. In other words, you can't sue your insurance company when they sell your records to a marketing company^W^W^W^W^W^W^W share some of your health information with some of our selected, carefully prescreened partners. Your only recourse is to make a complaint to the same people that routinely accept millions in bribes^W contributions from the people you're complaining about. This is true with so many "protections" passed by this administration while at the same time they've gutted others (bankruptcy, class actions).

The main point of HIPAA is not privacy (2, Insightful)

Aram Fingal (576822) | more than 8 years ago | (#15473599)

Since no one has pointed it out yet, I should mention that HIPAA stands for the Health Information Portability and Accountability Act. It's the portability part that came first. The accountability part only came after privacy advocates objected. The main purpose of HIPAA was to make it easier to share data among care providers. The medical profession is much more spread out among different specialties and facilities than it ever was in the past.

One of the basic principals of HIPAA is that you can share data with anyone who is directly involved in the care of the patient and anyone who is responsible for billing for that care. I am involved with a clinical laboratory. We take samples from referring physicians, process them and give the results back. Many patients probably don't even realize that they are in our database. It seems to me that this is one of the weaknesses in HIPAA. You ought to have a right to know who has your data.

The principal of medical privacy is there to prevent anyone from avoiding treatment for fear that their information will get out. This not only applies to people with diseases which might have a social stigma but it also applies to a case like that of a criminal on the run. Such a person should not have to avoid medical treatment for fear of being tracked through medical records. This is tantamount to denying medical care. Doctors should not be part of law enforcement (of course that general principal is not absolute when you consider examples like child abuse). I wonder if the level of access by law enforcement to medical data may already be causing some people to avoid, or delay being tested for conditions.

HIPAA needs to to have a number of new provisions. You should be able to find out who has medical records on you, you should be able to get copies and have the original records deleted, or more likely anonymized since many laws require bulk reporting of the occurrence of certain diseases.

frist wps0t (-1, Redundant)

Anonymous Coward | more than 8 years ago | (#15473675)

'Y0u see, even told reporters, FreeBSD project, projec7. Today, as

Its extremely effective... (1)

CFD339 (795926) | more than 8 years ago | (#15474014)

...at causing a pain in my A5S!

I could paper my walls with the number of stupid disclosure notices I've had to sign. One for each member of the family at each healthcare provider including eye doctories, pharmacists, alergists, etc., and another one for each school, camp, afterschool program, and employement situation.

All this, which in my case is well over 100 by this point, and they are useless?

GRRRRRRRR.

It makes me as angry as when I fill out forms for schools and camps for the kids and they have 4 or 5 forms for each kid that repeat the same questions! I'll bet I wrote my daughter's birthday 12 times just for one camp. I have three daughters, multiple camps and schools. GACK. All it does is lead to inaccuracy because when something changes all those different places will NEVER get updated.

Eureka! (2, Funny)

abb3w (696381) | more than 8 years ago | (#15474125)

So put this [slashdot.org] and this [slashdot.org] together, and we read the secret headline "Midaeval Piracy Laws", thereby tying HIPAA in with the MPAA and RIAA and the basic Slashdot anti-Copyright agenda! Yes, it's a *AA conspiracy!

Go on, mod me insightful. It's a slow news week so far.

This is part of the Plan (1)

peacefinder (469349) | more than 8 years ago | (#15474534)

From the outset, HIPAA was expected to have a period of voluntary compliance, followed by a period of enforcement aimed more toward corrective action than towards punishment. I don't recall just what the intended durations were, but the period of corrective enforcement was to be at least a few years long.

Although HIPAA was set in motion back in 1996, the Privacy rule only came into mandatory effect in October of 2002, and the Security rule not until April of 2005. We might be nearing the hard-enforcement date for Privacy, but for Security I don't think we're even close yet.

I'm no fan of this administration, but lax HIPAA enforcement is not something that one can fairly tar them with yet. They're pretty much sticking to the original plan so far.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?