Hitting the hospital with the maximum is a bit excessive, but authorities want everyone in the system to know they're as serious as a heart attack concerning violations of the law. So an appeals process and mitigation seems like a good idea. But no, HIPAA hasn't gone wild.
Much of what we know about Nadya Suleman (picture from Celebitchy) comes from the fact that staff at Bellflower Medical Center, where she gave birth, accessed her health records. (Don't you like how their home page shows people with clipboards?)
Justice? The folks at Loglogic, which specializes in HIPAA compliance, think not. Writes Dominique Levin:
They are doing something right! Few hospitals can detect such privacy violations and even fewer hospitals are willing to go public with the findings and openly fire employees. People in the security industry know that 100% prevention of these type of violations is impossible. Nurses need access to patient records. Setting access rights on patient information too tight could cost human lives. What if at the crucial moment in patient's treatment, a nurse is denied access to a patient file? You get the picture. Therefore, where you cannot 100% prevent access to information, you must monitor access to information. And if those people abuse their access privileges, you discipline them. This is what Kaiser did.
So why exactly is Kaiser being punished so hard? Are regulatory oversight bodies implicitly saying that it would have been better for Kaiser NOT to do any monitoring, not to detect the privacy violations and NOT to fire the nurses?
If Ms. Levin is asking for some mitigation I sympathize. Hitting the people who found the breach, publicized it, and took action against those who violated policy is a bit like tossing the cop who caught the crooks into jail next to them.
Loglogic's fear is that hospitals will see this case and decide not to buy its compliance services. Without an access log the hospital could have full deniability and, if someone accessed the records illegally it might throw up its hands and claim ignorance.
Yes and no. The point of the fine is that deniability claims will no longer be accepted. Hitting the hospital with the maximum is a bit excessive, but authorities want everyone in the system to know they're as serious as a heart attack concerning violations of the law.
So an appeals process and mitigation seems like a good idea. But no, HIPAA hasn't gone wild. And perhaps the ultimate answer here is to make violations like those committed the the Bellflower 23 criminal matters.