Shostack + Friends Blog Archive


Health Care Privacy


Bob Sullivan has an article at Red Tape, “Health care privacy law: All bark, no bite?” and focuses on the lack of penalties.

Two years ago, when Bill Clinton had heart surgery performed in New York’s Columbia Presbyterian Medical Center, 17 hospital employees — including a doctor — peeked at the former president’s health care records out of curiosity. Earlier this year, Boston-based Brigham and Women’s Hospital repeatedly faxed patient admission sheets to a nearby bank by accident. The faxing continued even after bank employees warned the hospital. In Hawaii, Wilcox Memorial Hospital lost a thumb drive containing personal information on every one of its 120,000 current and former patients.

None of the institutions involved in these incidents has been fined under the highly touted medical privacy law, known as HIPAA (Health Insurance Portability and Accountability Act).

“Since our compliance effort began we have resolved thousands of cases through corrective actions,” said a spokesman for the agency, who asked not to be identified because of agency policies. “We believe it’s inappropriate and misleading to focus exclusively on lack of monetary penalties as a measure of the degree of compliance.”

A process of informal resolutions from the agency, spurred by consumer complaints, has been well-received by health providers, who quickly amend their faulty processes, he said. “Those resolutions bring the benefits of the privacy rule to consumers much more quickly than the adversarial process of civil monetary penalties,” the spokesman said. “It encourages cooperation.”

I’d like to ask two questions:

First, this means complaints are dropping, right, because there’s a measure of compliance, and complaints are going down?

Second, what would it take to get the agency to fine people?

PS: I’ve covered this before, in “Medical ‘Privacy’ ‘Law.’3 Monkeys photo by xericx

3 comments on "Health Care Privacy"

  • Chris says:

    Regarding the last quoted paragraph — how does needing to change only when you are caught breaking the rules encourage you to not break those rules?
    Face it — “voluntary cooperation” ONLY works when actors want to cooperate, either because it makes economic sense for them to do so, or (dons sociologist hat) because the normative structure is one in which cooperation is deemed desirable by those actors. The Clinton example demonstrates that the latter is not the case, and it is obvious that the former isn’t either.

  • I’ve been playing around in healthcare privacy recently, doing some case studies for what will hopefully be a decent simulation-driven project about data flow management. A few observations:
    1) The current perceived problem in healthcare IT is not “too much info sharing” but rather, “too little info sharing.” A shift towards electronic data access is supposed to a) make care administration cheaper b) reduce error and c) massively improve research opportunities for systematic care. HHS is trying to overcome substantial obstacles to make any coordinated progress towards interoperable record systems.
    2) Most practitioners I talked to view HIPAA privacy requirements to be onerous and impede care. I assume that many patients and their loved ones do as well. Very little buy-in from the people involved.
    3) Medical institutions are massively decentralized, so figuring out who to talk to is very hard. Often, there isn’t even a single party responsible: in a data mishap involving multiple parties, do you target the primary care physician, the specialist or the lab?
    4) Fines work when there is a baseline of good behavior: they provide a strong incentive to maintain that good behavior. The problem is that we aren’t even terribly close to building a universal model of what good behavior is. There is massive heterogeneity across the set of behaviors inside an institution, and between institutions. The first goal of compliance is to actually have a sensible and practical privacy policy, which is pretty hard to come by.
    5) The most interesting challenge to me is the Clinton example: if 30 people viewed Clinton’s record, and 13 actually needed to, how do you tell the difference between rubber-necking and care delivery? You’ve got an institution with thousands of employees who *may* need to look at any one record, but probably shouldn’t; failure to grant access to the appropriate person can literally be a matter of life and death. What is an efficient way to protect privacy in this case?
    If nothing else, HIPAA is making it damn hard for me to do my research 🙂 I’d love to get my hands on HHS’ complaint file.

Comments are closed.