HIPAA gone wild?

HIPAA gone wild?

Summary: Hitting the hospital with the maximum is a bit excessive, but authorities want everyone in the system to know they're as serious as a heart attack concerning violations of the law. So an appeals process and mitigation seems like a good idea. But no, HIPAA hasn't gone wild.


Remember the Octomom?

Much of what we know about Nadya Suleman (picture from Celebitchy) comes from the fact that staff at Bellflower Medical Center, where she gave birth, accessed her health records. (Don't you like how their home page shows people with clipboards?)

After an investigation 15 were fired and 8 more disciplined.

Case closed? No. The hospital has been fined $250,000 for the loss of the records and another $187,500 because the kids' records got out too.

Justice? The folks at Loglogic, which specializes in HIPAA compliance, think not. Writes Dominique Levin:

They are doing something right! Few hospitals can detect such privacy violations and even fewer hospitals are willing to go public with the findings and openly fire employees. People in the security industry know that 100% prevention of these type of violations is impossible. Nurses need access to patient records. Setting access rights on patient information too tight could cost human lives. What if at the crucial moment in patient's treatment, a nurse is denied access to a patient file? You get the picture. Therefore, where you cannot 100% prevent access to information, you must monitor access to information. And if those people abuse their access privileges, you discipline them. This is what Kaiser did.

So why exactly is Kaiser being punished so hard? Are regulatory oversight bodies implicitly saying that it would have been better for Kaiser NOT to do any monitoring, not to detect the privacy violations and NOT to fire the nurses?

If Ms. Levin is asking for some mitigation I sympathize. Hitting the people who found the breach, publicized it, and took action against those who violated policy is a bit like tossing the cop who caught the crooks into jail next to them.

Loglogic's fear is that hospitals will see this case and decide not to buy its compliance services. Without an access log the hospital could have full deniability and, if someone accessed the records illegally it might throw up its hands and claim ignorance.

Yes and no. The point of the fine is that deniability claims will no longer be accepted. Hitting the hospital with the maximum is a bit excessive, but authorities want everyone in the system to know they're as serious as a heart attack concerning violations of the law.

So an appeals process and mitigation seems like a good idea. But no, HIPAA hasn't gone wild. And perhaps the ultimate answer here is to make violations like those committed the the Bellflower 23 criminal matters.

What's your opinion?

Topics: Government US, Government, Health

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • WRONG!

    The cop analogy is incorrect. This is more like punishing the cop because it was common knowledge that he would "look the other way" while crimes were being commited and he suddenly got caught (even if he tried to hide it by "arrests").

    If individuals could shirk responsibility like businesses do our justice system would be a joke! For business to be able to use "profits" and "fudiciary responsibility" as "legitimate" excuses is like a pimp helping "single moms" get through "college".

    All the CEOs and boards of corporations whining about the "burden" of the "Oxyclean" act after Enron make me laugh. If the job was easy, ANY clown could do it. This HIPAA whining is in the same boat!
    • Unsubstantiated complaining is super.

      I work in billing for physicians and this previous post is a great example of what we deal with. HIPAA states, paraphrasing, you cannot divulge protected health information to 'a party the patient would object to'!

      Who is that exactly? kd5auq is just the person who calls and berates my staff because we won't talk to him about his wife's bill!
      These rules, while a nice guideline, increase costs in the medical world substantially.

      My question is, while I think medical privacy is valid, what is the specific damage that has been done by 20 people looking at this lady's records? Tell me a nurse in the 60s wouldn't have gazed at a celebrity's chart just a bit longer than someone else's.
      • Gazing isn't the point...

        it is the fact that the "gazers" then made the records public. There is nothing wrong with anyone who has access to the records in the first place to look at them. But the HIPAA line is crossed when that knowledge leaves that person's brain via their mouth to someone who is not authorized to have the information, in this case, the media.
  • Not being used as intended

    Dana, I work in the medical payment area, representing hospitals whose insurance claims have not been properly paid.

    A major problem with the HIPAA Privacy Rule (which, of course you know, is just a small part of the overall HIPAA statute) is that insurers and other "middlemen" use it as an excuse to delay or deny payment. By alleging at every intermediate step that they can't provide information because of HIPAA, they create so many logjams that often providers simply give up.

    There is also a problem with physicians, etc. They have heard, "HIPAA violations can result in criminal prosecution." So, when they get a request for information needed by some other provider to get a claim paid, (e.g., an insurer asks for information regarding a possible pre-existing condition) they respond that they can't provide the information because of HIPAA. (Not true--HIPAA contains an exception for payment-related activities.) They will not hand the issue over to a knowledgeable lawfirm, which, of course, would cost several hundred dollars in legal fees. In one case, for instance, a physician told us, "We checked with the people at the company that copies medical records for us and they said HIPAA won't allow us to provide the information."
    • And as a patient .....

      BEFORE any medical treatment I have to sign away all rights to my medical records for "payment" or any other reason the provider deems necessary. I've never refused under the fear that I will be left to suffer a horrible fate! Sounds to me like the Hippocratic oath has been replaced by the hypocritic oath!
    • Doctor, educate thyself...

      In the case of doctors erroneously stating they can't share information because of HIPAA, then further education is required. And while HIPAA should make certain the rules are clear through educational efforts it is also the medical staff's responsibility to make certain they are properly trained and understand the regulations as well. Otherwise it the case of the driver telling the police that he didn't know that he was supposed to stop at a stop sign because the DMV didn't show that specific piece of information to him.

      Everyone must take the responsibility for keeping current, just like when you are required to earn CE credits to maintain a medical certification.
  • What privacy do we really need?

    I think for most people it is not an important question -
    but it does generate a LOT of paperwork.

    And there are some who would prefer that the insurance
    company doesn't know that they have a medical problem,
    or two.

    But when you get down to it I believe that there is far
    more value in medical personnel (including emergency
    personnel) having full access to my records.

    For me it is far more important to have laws that make it
    illegal to abuse medical records, such as fraudulent use to
    obtain prescriptions, exposing individuals (which would
    include the media), etc.
    • We are sold medical coverage as a benefit ....

      not as "insurance". The industry has modeled it as "insurance" with built-in incentives to deny paying for the SERVICE. This as well as tabloids create the fodder for abuse of medical records.
      • Unfortunately we can't hide

        When you get an insurance policy you sign away your rights to privacy. The
        insurance company has every right to check on your history (you have to
        allow that if you want the policy).

        Until we make existing conditions exclusions illegal we have that problem.
      • The problem is that once someone else is writing the checks...

        ...you lose the right to privacy to the party
        writing those checks. I don't think there is a
        way around that.
    • Medical personnel do have access....

      HIPAA doesn't bar appropriate medical personnel from accessing medical records. And, since there are already laws about fraud, that would cover using medical records for the purposes you state.

      However, I don't believe absolutely everyone needs to know my personal medical background or problems. Some people's conditions still stigmatize as in the case of mental health issues or epilepsy. Enforcement of HIPAA will probably need some tweaking over time as people start to understand and apply HIPAA regs.

      Yes this can be a paper nightmare like any other regs, but it is done and the best thing to do now is learn the most efficient way to deal with it while also working to get balance into the regs.
  • Don't do it at the last minute

    Well, that's just silly. I work in this industry too, and you don't do your "handshaking" at the time of each transaction. If two companies, like a healthcare provider and a broker, need to do business they must lay the groundwork first.

    Establish that they can share records, set rules and boundaries, sign agreements, etc. Then each record shared falls under that agreement; no further paperwork required.