The current AIS Health Report on Patient Privacy tells us: National Review of HIPAA Compliance…
HealthNet either lost, or had stolen from it, computer hard drives with PHI of 1.9 million subscribers that had been in a California facility. This latest HealthNet data security breach, which may have included names, Social Security numbers, addresses, health information and financial information comes a little over a year after a widely-reported data security breach by HealthNet in Connecticut which resulted in the first state Attorney General action under the HIPAA amendments contained in the HITECH Act. HealthNet is notifying affected individuals and is offering two years of no-cost credit monitoring and fraud resolution services, and credit restoration and identify theft insurance as needed.
It's both surprising and unsurprising that this has happened again to HealthNet. In these cases, and in recent cases in Massachusetts (Mass General Hospital HIPAA settlement) and Maryland (Cignet HIPAA violations and CMPs), we have seen examples, collectively, of individual sloppiness, of ineffective corporate policies and procedures, and possibly of gross neglect/fraud/incompetence. The question arises: Is HIPAA the right instrument to address all three sorts of problems? Since it seems that it is not having an effect on any of them, I would suggest that the answer is no.
We need to retrench and figure out how best to address each of these scenarios. The HIPAA enforcement scheme's underlying assumption is that covered entities would rather comply with the rules than face the monetary, customer relations and public relations hits associated with violating the rules. Instead, it seems we've created something like a market for trading emissions credits. At some level, certain covered entities either (a) are really, really poorly managed or (b) have made the calculation that it makes more business sense to take the hits than to comply with the rules.
Bottom line: Since it seems unlikely that the federales and the states will ramp up enforcement beyond current levels, the rules need to be reformulated so that they make more sense given current clinical, business and technological realities. Meanwhile, it's the law of the land. Deal with it.
David Harlow
The Harlow Group LLC
Health Care Law and Consulting
In this episode I speak with Ryne Natzke, Chief Revenue Officer of TrustCommerce, a Sphere…
Natalie Davis, CEO of United States of Care, returned to Harlow on Healthcare to discuss…
If the EHR is the system of record, then Lumeon is the system of action.…
Blockchain in healthcare? Well, it can solve some problems. Have a listen to my conversation…
Joel Diamond, Chief Medical Officer at 2bPrecise, speaks with me about bringing genetic testing information…
Have a listen to my discussion with Calum Yacoubian MD, director of Healthcare Strategy at…