[Care2002-developers] U.S. Medical Privacy Law Gutted

Wed, 15 Jun 2005 21:10:43 -0700 

Below as received from Crypto-Gram Newsletter. 
Hope it is of any use.

----------------------------------

In the U.S., medical privacy is largely governed by a 1996 law called
HIPAA. Among many other provisions, HIPAA regulates the privacy and
security surrounding electronic medical records. HIPAA specifies civil
penalties against companies that don't comply with the regulations, as
well as criminal penalties against individuals and corporations who
knowingly steal or misuse patient data.

The civil penalties have long been viewed as irrelevant by the
healthcare industry. Now the criminal penalties have been gutted.  The
Justice Department has ruled that the criminal penalties apply to
insurers, doctors, hospitals, and other providers -- but not
necessarily their employees or outsiders who steal personal health
data.  This means that if an employee mishandles personal data, he
cannot be prosecuted under HIPAA unless his boss told him to do
it.  And the provider cannot be prosecuted unless it is official
organization policy.

This is a complicated issue. Peter Swire worked extensively on this
bill as the President's Chief Counselor for Privacy, and I am going to
quote him extensively. First, a story about someone who was convicted
under the criminal part of this statute.

"In 2004 the U.S. Attorney in Seattle announced that Richard Gibson was
being indicted for violating the HIPAA privacy law. Gibson was a
phlebotomist a lab assistant in a hospital. While at work he accessed
the medical records of a person with a terminal cancer condition.
Gibson then got credit cards in the patient's name and ran up over
$9,000 in charges, notably for video game purchases. In a statement to
the court, the patient said he 'lost a year of life both mentally and
physically dealing with the stress' of dealing with collection agencies
and other results of Gibson's actions. Gibson signed a plea agreement
and was sentenced to 16 months in jail."

According to this Justice Department ruling, Gibson was wrongly
convicted. I presume his attorney is working on the matter, and I hope
he can be re-tried under our identity theft laws. But because Gibson
(or someone else like him) was working in his official capacity, he
cannot be prosecuted under HIPAA. And because Gibson (or someone like
him) was doing something not authorized by his employer, the hospital
cannot be prosecuted under HIPAA.

The healthcare industry has been opposed to HIPAA from the beginning,
because it puts constraints on their business in the name of security
and privacy. This ruling comes after intense lobbying by the industry
at the Department of Heath and Human Services and the Justice
Department, and is the result of an HHS request for an opinion.

From Swire's analysis the Justice Department ruling:  "For a law
professor who teaches statutory interpretation, the OLC opinion is
terribly frustrating to read. The opinion reads like a brief for one
side of an argument. Even worse, it reads like a brief that knows it
has the losing side but has to come out with a predetermined answer."

I've been to my share of HIPAA security conferences. To the extent that
big health is following the HIPAA law -- and to a large extent, they're
waiting to see how it's enforced -- they are doing so because of the
criminal penalties. They know that the civil penalties aren't that
large, and are a cost of doing business. But the criminal penalties
were real. Now that they're gone, the pressure on big health to protect
patient privacy is greatly diminished.

Again Swire:  "The simplest explanation for the bad OLC opinion is
politics. Parts of the health care industry lobbied hard to cancel
HIPAA in 2001. When President Bush decided to keep the privacy rule
quite possibly based on his sincere personal views the industry efforts
shifted direction. Industry pressure has stopped HHS from bringing a
single civil case out of the 13,000 complaints. Now, after a U.S.
Attorney's office had the initiative to prosecute Mr. Gibson, senior
officials in Washington have clamped down on criminal enforcement. The
participation of senior political officials in the interpretation of a
statute, rather than relying on staff attorneys, makes this political
theory even more convincing."

This kind of thing is bigger than the security of the healthcare data
of Americans. Our administration is trying to collect more data in its
attempt to fight terrorism. Part of that is convincing people -- both
Americans and foreigners -- that this data will be protected. When we
gut privacy protections because they might inconvenience business,
we're telling the world that privacy isn't one of our core concerns.

If the administration doesn't believe that we need to follow its
medical data privacy rules, what makes you think they're following the
FISA rules?

News article:
<http://www.nytimes.com/2005/06/07/politics/07privacy.html>

Swire's essay:
<http://www.americanprogress.org/site/pp.asp?c=biJRJ8OVF&b=743281>



Best,

Lopo
-- 
  Care2x - Integrated Healthcare Environment
  http://www.care2x.org
  mailto:[EMAIL PROTECTED]

Project Team Member

  Humaneasy Consulting
  http://www.humaneasy.com
  mailto:[EMAIL PROTECTED]


-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
_______________________________________________
Care2002-developers mailing list
Care2002-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/care2002-developers

Reply via email to