Tuesday, June 06, 2006

A Ticket for HIPAA

[Editor’s note: Great minds really do think alike. As I was writing the following, Bob was posting his take on the same issue. Wow]

While I'm no fan of HIPAA (IMO, it created more problems than it solved), it is the law of the land. So I am puzzled, bordering on angry, that

(i)n the three years since Americans gained federal protection for their private medical information, the Bush administration has received thousands of complaints alleging violations but has not imposed a single civil fine and has prosecuted just two criminal cases.

According to the WaPo, the complaints reported most often fall into these categories:

■ personal medical details were wrongly revealed
■ information was poorly protected
■ more details were disclosed than necessary
■ proper authorization was not obtained
■ patients were frustrated getting their own records

I can sort of see that last: most physicians' offices charge a fee for those records. Contrary to popular belief, they are not "your own," any more than the service records your mechanic keeps on your car are. Still, it's not supposed to be a frustrating experience.

In this day of identity theft, there really is no excuse for personal information to be "poorly protected," either.

Turns out, three quarters of the cases were deemed to be non-violations, which seems about right: just because you’re ticked with a given provider doesn’t mean they’ve done something illegal. I’m not as sanguine about that other 25%, though:

(H)ealth plans, hospitals, doctors' offices or other entities [were allowed] simply to promise to fix whatever they had done wrong, escaping any penalty.

Certainly there needs to be some flexibility in the system, but that’s an awful lot of it. HHS counters that they’re striving for “voluntary compliance,” which they think is working. Of course, the providers are all in favor of the voluntary model (preferring carrots to sticks), but privacy advocates are nonplussed:

The law was put in place to give people some confidence that when they talk to their doctor or file a claim with their insurance company, that information isn't going to be used against them," said Janlori Goldman, a health-care privacy expert at Columbia University.

As the clock is ticking toward across-the-board implementation of EMR (Electronic Medical Records), the stakes are getting higher. Part of HIPAA requires that medical record safe-keeping adhere to a set of stringent federal guidelines, instead of on a state-by-state basis, but that raises its own set of problems, namely: security of the records. As we saw recently with the VA, this is far from a slam-dunk.

I’ll let a “neighbor” have the last word:

"It's like when you're driving a car," said consultant Gary Christoph of Teradata Government Systems of Dayton, Ohio. "If you are speeding down the highway and no one is watching, you're much more likely to speed. The problem with voluntary compliance is, it doesn't seem to be motivating people to comply. "
blog comments powered by Disqus