Almost all of my research is in health information technology, and there are very few days when we’re not cursing HIPAA. In case you don’t know, that’s the Health Insurance Portability and Accountability Act, which protects patients’ health data from being let loose.
The things we hate about HIPAA are its inconsistencies, and its overall effect. For instance, there are tons of restrictions on sending even the simplest of emails without major encryption, but nothing about faxes at all. The law’s severe penalties create panic-like behavior in my clinic, where we worry about how a patient wandering into a back room might glance at a chart and see another patient’s name. My favorite is when the system makes me change my password every few months, which means that everyone has to write it down (so they don’t forget it), which makes the password protection much less secure.
So, in order to prevent the worst case scenario from happening, we’re all subject to seemingly insane restrictions that many of us see as impeding care. And then something like this makes the news:
A medical privacy breach led to the public posting on a commercial Web site of data for 20,000 emergency room patients at Stanford Hospital in Palo Alto, Calif., including names and diagnosis codes, the hospital has confirmed. The information stayed online for nearly a year.
Since discovering the breach last month, the hospital has been investigating how a detailed spreadsheet made its way from one of its vendors, a billing contractor identified as Multi-Specialty Collection Services, to a Web site called Student of Fortune, which allows students to solicit paid assistance with their schoolwork.
Gary Migdol, a spokesman for Stanford Hospital and Clinics, said the spreadsheet first appeared on the site on Sept. 9, 2010, as an attachment to a question about how to convert the data into a bar graph.
The size of the breach is incomprehensible. The length of it even more so. And everything Stanford had likely done to try and prevent it has failed.
My problem with the way wo do HIT policy like HIPAA, though, is what the actual ramifications of this breach will be. The actual monetary penalty here could be in the gazillions of dollars, but I doubt the federal government will impose it. The likely actual harm to patients isn’t clear either. What will likely happen is that Stanford and the rest of the world will freak out. I’ve already received five different emails from different levels of my own institution at varying levels of panic.
The most likely outcome is that HIT policies will become even more draconian towards the vast majority of people who are playing by the rules. This will make it even harder for those who are providing patient care to do so efficiently. I doubt, however, that it will prevent people who just don’t know, or don’t care, from making stupid mistakes and monstrous blunders like the above.
I was thinking a lot about this over the weekend, because it reminds me of terrorism. We’re not going to be able to prevent breaches like this entirely, and we have to be able to make sure that the rest of us can go about our lives in eace and happiness. Yet, no one in power wants to have left on the table a measure that that could have theoretically prevented an unwanted occurrence. There has to be a sweet spot; I wish I knew where it was.