Tag: HIPAA

Privacy? Nuthin’. Respect My Authoritah!

A fascinating enforcement action under the Health Insurance Portability and Accountability Act (HIPAA) shows what really matters in the world of privacy regulation.

The U.S. Department of Health and Human Services has imposed a $4.3 million civil penalty against Maryland-based Cignet Health for violations of its regulations. HHS’s Office for Civil Rights (OCR) found that Cignet violated 41 patients’ HIPAA rights by denying them access to their medical records, which they requested between September 2008 and October 2009. The penalty for these violations is $1.3 million.

But Cigna’s real crime was willful disobedience of the government. Who knows why, but according to the government:

During the investigations, Cignet refused to respond to OCR’s demands to produce the records. Additionally, Cignet failed to cooperate with OCR’s investigations of the complaints and produce the records in response to OCR’s subpoena. OCR filed a petition to enforce its subpoena in United States District Court and obtained a default judgment against Cignet on March 30, 2010. On April 7, 2010, Cignet produced the medical records to OCR, but otherwise made no efforts to resolve the complaints through informal means.

OCR also found that Cignet failed to cooperate with OCR’s investigations on a continuing daily basis from March 17, 2009, to April 7, 2010, and that the failure to cooperate was due to Cignet’s willful neglect to comply with the Privacy Rule. Covered entities are required under law to cooperate with the Department’s investigations.

The penalty for that was $3 million.

Notably, the HHS release says nothing about the condition of the aggrieved parties. How are they doing with their $31,000 a piece? Does it fully compensate for their inability to access medical records during the relevant period?

Just kidding! Nobody really cares.

This enforcement action has nothing to do with remedying a genuine breach of privacy—an annoyance and genuine paperwork problem, yes—and everything to do with sending a message: You will respect my authoritah!

Your Medical Records Aren’t Secure

I have one observation about, and one minor difference with, the very good—and very concerning—Wall Street Journal opinion piece by Deborah Peel of Patient Privacy Rights. The piece announces PPR’s “Do Not Disclose” campaign around health information, which will soon be pouring into promiscuous, government-designed “electronic medical records.”

In a January 2009 speech, President Barack Obama said that his administration wants every American to have an electronic health record by 2014, and last year’s stimulus bill allocated over $36 billion to build electronic record systems. Meanwhile, the Senate health-care bill just approved by the House of Representatives on Sunday [now signed into law] requires certain kinds of research and reporting to be done using electronic health records. Electronic records, Mr. Obama said in his 2009 speech, “will cut waste, eliminate red tape and reduce the need to repeat expensive medical tests [and] save lives by reducing the deadly but preventable medical errors that pervade our health-care system.” But electronic medical records won’t accomplish any of these goals if patients fear sharing information with doctors because they know it isn’t private…

Describing how the Health Insurance Portability and Accoutability Act (HIPAA) undermined health privacy, Peel says, ”In 2002, under President George W. Bush, the right of a patient to control his most sensitive personal data—from prescriptions to DNA—was eliminated by federal regulators…” Other than the quibble about whether federal law ever gave patients anything that could be genuinely called a right, this is correct and concerning.

What’s interesting is that the policy is routinely ascribed to President Bush (not only by Peel). My suspicion is that blaming President Bush props up the dream that privacy can be maintained in a system that centralizes control of health care—if only the right party is in power.

In fact, the passage of HIPAA in 1996 (under President Bill Clinton) set the course for this outcome. The fact that HIPAA privacy was undone during the Bush administration is a coincidence convenient for his ideological and political opponents. If I’m mistaken, the proof will be the reversal of the policy during the current administration. I’m not aware of any plan for that to happen.

“Electronic record systems that don’t put patients in control of data or have inadequate security create huge opportunities for the theft, misuse and sale of personal health information,” says Peel. I agree, but more importantly, I think, public policies that don’t put patients in control create the same—or at least parallel—problems.

Transferring control of health care to the federal government transfers control of health information to the federal government. The government has interests distinct from patients, and no matter how hard one fights to protect patients’ privacy interests, the government’s interests in cost control, social engineering, and such will ineluctably win out.

Public policies that restore power to patients will restore health privacy to patients. A decade or two of exploring alternatives to patient empowerment may drive the lesson home.