What? A HIPAA Violation?
By Allan Holmes | Wednesday, February 27, 2008 | 04:46 PM
By Allan Holmes | Wednesday, February 27, 2008 | 04:46 PM
This may not seem like an unusual news story, but an Oklahoma City woman was accused this month for violating the Health Insurance Portability and Accountability Act (HIPAA) of 1996, the federal law that requires companies to properly secure personal medical records of patients and employees, or face fines or criminal prosecution. What's unusual about this story is that in the nearly 12 years HIPAA has been around, the number of HIPAA violations and criminal cases has been extremely low -- almost non-existent.
Consider that a large portion of American corporations -- as much as 40 percent back in 2006 -- were not in compliance with the law, a lone violation seems even more incredulous. The reason for the non-compliance, privacy and security experts say, is because it pays not to comply. The risk of being caught is so low compared with the cost of compliance, which is high, that the business case argues for not complying. The return on investment for securing private health data just isn't there. Privacy experts may have a different point of view.
Comments
Part of the problem is that there isn't an easy way to report HIPAA violations. Where do you go? Who do you call? Most businesses don't care because they know it would take a significant amount of work on your part to do anything about it. I actually had a woman laugh when I pointed out that they were violating HIPAA. She said, "Oh. You're worried about THAT?!" ...but unless I hire a lawyer, what do I do about it?
Anonymous | Sunday, March 09, 2008 | 08:51 AMI know from experience as having had a small janitorial service who cleaned Dr.s offices a few years back that when office staff were done with a record entry, the forms were just thrown into the trash for us to remove and throw into a regular open dumpster, it was really obvious that a persons SS# was the account number with three zeros as the suffix. Isn't this a violation of the act/law? Have Insurance Co's moved away from using the SS# as a medical or account No.?
Ed | Friday, February 29, 2008 | 07:49 AMAgain until the cost of doing business wrong (in violation of the law) is much greater than the cost doing business right (in compliance with the law) we will see business being done wrong. When the fine for violating the law is less than the profit that can be made, it’s just a cost of doing business.
Ray | Thursday, February 28, 2008 | 10:04 AMI am hoping to see more court actions.
Tom | Thursday, February 28, 2008 | 09:22 AMTry "incredible" rather than "incredulous."
Anonymous | Thursday, February 28, 2008 | 08:57 AMI would venture to say that it would be difficult to prove these types of cases to begin with. How does a patient "really know" if his information is being kept private if you can't actually prove it? In a friend's divorce case several years ago, her former spouse produced her medical records in court. There had been no subpoena issued for them and upon inquiry, the hospital's records did not show that information had been released to any outside party or unauthorized medical facility. What was highly suspect was that the new spouse of the former husband was a health professional at a neighboring hospital. If there is collusion between hospital staff with no accountability, the patient is violated. I would not call the lack of cases a success story since confidentiality can't be "proven."
Janet Downey | Thursday, February 28, 2008 | 08:03 AMIt appears to me that HIPAA is used primarily to restrict the amount of information released to patients and their families (whether properly invoked or not is another issue) and to restrict the release of information from one physician to another. Another law passed with good intentions but little thought of the actual consequences.
Rick Kane | Thursday, February 28, 2008 | 07:53 AMABOUT THIS BLOG
Allan Holmes on what's happening and what's being discussed in the world of federal information technology.
feed