The cop analogy is incorrect. This is more like punishing the cop because it was common knowledge that he would "look the other way" while crimes were being commited and he suddenly got caught (even if he tried to hide it by "arrests").
If individuals could shirk responsibility like businesses do our justice system would be a joke! For business to be able to use "profits" and "fudiciary responsibility" as "legitimate" excuses is like a pimp helping "single moms" get through "college".
All the CEOs and boards of corporations whining about the "burden" of the "Oxyclean" act after Enron make me laugh. If the job was easy, ANY clown could do it. This HIPAA whining is in the same boat!
Remember the Octomom?
Much of what we know about Nadya Suleman (picture from Celebitchy) comes from the fact that staff at Bellflower Medical Center, where she gave birth, accessed her health records. (Don’t you like how their home page shows people with clipboards?)
After an investigation 15 were fired and 8 more disciplined.
Case closed? No. The hospital has been fined $250,000 for the loss of the records and another $187,500 because the kids’ records got out too.
Justice? The folks at Loglogic, which specializes in HIPAA compliance, think not. Writes Dominique Levin:
They are doing something right! Few hospitals can detect such privacy violations and even fewer hospitals are willing to go public with the findings and openly fire employees. People in the security industry know that 100% prevention of these type of violations is impossible. Nurses need access to patient records. Setting access rights on patient information too tight could cost human lives. What if at the crucial moment in patient’s treatment, a nurse is denied access to a patient file? You get the picture. Therefore, where you cannot 100% prevent access to information, you must monitor access to information. And if those people abuse their access privileges, you discipline them. This is what Kaiser did.
So why exactly is Kaiser being punished so hard? Are regulatory oversight bodies implicitly saying that it would have been better for Kaiser NOT to do any monitoring, not to detect the privacy violations and NOT to fire the nurses?
If Ms. Levin is asking for some mitigation I sympathize. Hitting the people who found the breach, publicized it, and took action against those who violated policy is a bit like tossing the cop who caught the crooks into jail next to them.
Loglogic’s fear is that hospitals will see this case and decide not to buy its compliance services. Without an access log the hospital could have full deniability and, if someone accessed the records illegally it might throw up its hands and claim ignorance.
Yes and no. The point of the fine is that deniability claims will no longer be accepted. Hitting the hospital with the maximum is a bit excessive, but authorities want everyone in the system to know they’re as serious as a heart attack concerning violations of the law.
So an appeals process and mitigation seems like a good idea. But no, HIPAA hasn’t gone wild. And perhaps the ultimate answer here is to make violations like those committed the the Bellflower 23 criminal matters.
What’s your opinion?
