HealthBlawg

David Harlow's Health Care Law Blog

    • Twitter
    • Facebook
    • LinkedIn
    • RSS
    • Email
  • About
  • Archives
  • Podcast
  • Press
  • Awards/Reviews
  • HIPAA
  • HCSM

HealthNet and HIPAA, Again … So, Does HIPAA Work?

March 15, 2011

HealthNet either lost, or had stolen from it, computer hard drives with PHI of 1.9 million subscribers that had been in a California facility.  This latest HealthNet data security breach, which may have included names, Social Security numbers, addresses, health information and financial information comes a little over a year after a widely-reported data security breach by HealthNet in Connecticut which resulted in the first state Attorney General action under the HIPAA amendments contained in the HITECH Act.  HealthNet is notifying affected individuals and is offering two years of no-cost credit monitoring and fraud resolution services, and credit restoration and identify theft insurance as needed.

It's both surprising and unsurprising that this has happened again to HealthNet.  In these cases, and in recent cases in Massachusetts (Mass General Hospital HIPAA settlement) and Maryland (Cignet HIPAA violations and CMPs), we have seen examples, collectively, of individual sloppiness, of ineffective corporate policies and procedures, and possibly of gross neglect/fraud/incompetence.  The question arises: Is HIPAA the right instrument to address all three sorts of problems?  Since it seems that it is not having an effect on any of them, I would suggest that the answer is no.

We need to retrench and figure out how best to address each of these scenarios.  The HIPAA enforcement scheme's underlying assumption is that covered entities would rather comply with the rules than face the monetary, customer relations and public relations hits associated with violating the rules.  Instead, it seems we've created something like a market for trading emissions credits.  At some level, certain covered entities either (a) are really, really poorly managed or (b) have made the calculation that it makes more business sense to take the hits than to comply with the rules.

Bottom line:  Since it seems unlikely that the federales and the states will ramp up enforcement beyond current levels, the rules need to be reformulated so that they make more sense given current clinical, business and technological realities.  Meanwhile, it's the law of the land.  Deal with it.     

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Filed Under: Health care policy, Health Law, HIPAA, HIT, OIG, Privacy

you might also like:

  1. HIPAA Phase 2 Audit Protocol Released; More Details Emerge

  2. HIPAA Enforcement: Who's in Charge?

  3. HIPAA enforcement by state attorneys general: The shape of things to come

« David Harlow quoted in AMA American Medical News story on daily deal websites
Partisan politics: It was ever thus »

Comments

  1. Autumn Matthews says

    March 15, 2011 at 3:46 pm

    In my opinion, HIPAA will never be able to address the inadvertent accidents that tend to happen everywhere. Sure, you can fine a facility out the wazoo, but will that REALLY help someone NOT lose a device later?

    More specifically, I think HIPAA is a great device to educate staff about, in order to ensure no one is deliberately giving out the PHI. That deliberate, meant-to-cause-harm type of conduct I feel can be deterred via HIPAA. However, it’s very hard to deter future accidents from happening.

    Are all facilities to assume laptops will be stolen in transport? Are all flash drives meant to fall out of pockets? To hold these facilities responsible requires quite a dystopic view of the world. Sort of a, “You are responsible for the breach because you should have assumed someone would steal the device/hack the computer/insert your own HIPAA circumstance.

  2. David Harlow says

    March 15, 2011 at 4:24 pm

    @Autumn —

    I respectfully disagree. Your position is tantamount to never holding liable for an automobile collision the driver at fault – who was texting while driving – because she didn’t crash the car deliberately.

    Laptops and flash drives should not leave facilities with unencrypted (or otherwise unsecured) PHI on them. Pretty straightforward. I’m not sure what will make covered entities sit up and take notice short of draconian penalties (e.g., temporary suspension of license/certification). If there really is not that much harm in releases due to lost or stolen flash drives or laptops, then the rules should be changed. Of course, there is harm in such releases, and I believe that since we’ve solved the technical issues, we need to find the right levers to influence human behavior so that such data security breaches are simply eliminated.

  3. A Los Angeles Cardiologist says

    March 18, 2011 at 1:54 pm

    Healthnet and other institutions that have lost or have had protected information such as social security numbers stolen from them have little consequences to pay for this breach of security. It seems that all they do is provide one year of free credit monitoring. Perhaps if they had to pay a small fine or payment for each person’s information that was lost they would be more careful.

Follow me on Twitter

David Harlow πŸ’‰πŸ˜· Follow 43,216 17,538

Mastodon @healthblawg@c.im #HealthCare #MedDevice #Compliance #Privacy @MyOmnipod #HIPAA #digitalhealth #HarlowOnHC #pinksocks Tweets are tweets No more no less

healthblawg
healthblawg avatar; David Harlow πŸ’‰πŸ˜· @healthblawg ·
5h 1639640904406544391

ICYMI> David Sand, CMO of ZeOmega, an #AI-infused engine for β€œpayviders” β€” Harlow on Healthcare https://healthblawg.com/2022/10/david-sand-zeomega.html?utm_source=twitter&utm_medium=social&utm_campaign=ReviveOldPost #digitalhealth #hcldr #hitsm

Image for the Tweet beginning: ICYMI>  David Sand, CMO Twitter feed image.
Reply on Twitter 1639640904406544391 Retweet on Twitter 1639640904406544391 1 Like on Twitter 1639640904406544391 0 Twitter 1639640904406544391
healthblawg avatar; David Harlow πŸ’‰πŸ˜· @healthblawg ·
6h 1639630885497769985

The latest Harlow On Health Care Daily #HarlowOnHC #digitalhealth #healthcare #innovation #privacy #hcldr Thx: @rwneilljr @chidambara09 @SarahClarkBDM #digitalhealth #ai

Image for twitter card

AI's growing impact on echocardiography

cardiovascularbusiness.com Cardiology has the second largest number of FDA-cleared AI algorithms, and many of them are ...

paper.li

Reply on Twitter 1639630885497769985 Retweet on Twitter 1639630885497769985 0 Like on Twitter 1639630885497769985 0 Twitter 1639630885497769985
healthblawg avatar; David Harlow πŸ’‰πŸ˜· @healthblawg ·
12h 1639535190774276096

ICYMI> Stephen Sweriduk, CMO of Shields Health Care on the evolution of diagnostic imaging β€” Harlow on Healthcare https://healthblawg.com/2022/01/sweriduk-shields-healthcare.html?utm_source=twitter&utm_medium=social&utm_campaign=ReviveOldPost #digitalhealth #hcldr #hitsm

Image for the Tweet beginning: ICYMI>  Stephen Sweriduk, CMO Twitter feed image.
Reply on Twitter 1639535190774276096 Retweet on Twitter 1639535190774276096 1 Like on Twitter 1639535190774276096 0 Twitter 1639535190774276096
Load More
Follow me on Mastodon

HIPAAtools

Hipaatools

The HIPAA Compliance Toolkit

The Walking Gallery

The Walking Gallery

Quick Links

  • Home
  • Categories
  • Archives
  • Podcast Interviews
  • HIPAAtools
  • HIPAA Compliance
  • Health Care Social Media
  • Speaking
  • In the Press
  • Blogroll

David Harlow

David Harlow

HealthcareNOW Radio

Connect with David

  • Twitter
  • Facebook
  • LinkedIn
  • RSS
  • Email
  • Subscribe
  • Contact
  • Book Me: Speaking
  • About
  • The Harlow Group LLC
Copyright © 2006–2023
HealthBlawg is a publication of The Harlow Group LLC. See Copyright notice and disclaimer.
Fair use with attribution and a link is encouraged. Click for more on David Harlow.
[footer_backtotop text="Back to top" href="#"]