LTCI Watch: HIPAA privacy
By Allison Bell
The other day, a U.S. Department of Health and Human Services (HHS) technology office shared an outside blog about the intricacies of getting doctors to e-mail with patients.
The blogger suggested that physician boredom with routine questions was more of an obstacle than Health Insurance Portability and Accountability Act (HIPAA) privacy and data security requirements -- but then talked about prodding doctors and patients to use an existing "mobile-based secure messaging system."
Spouses and children run into terrible HIPAA privacy rules when trying to care for loved ones with dementia in a rational fashion. Members of Congress have heard allegations that the U.S. Department of Veterans Affairs is using HIPAA privacy rules as a defense against whistleblowers.
Agents, brokers and care coordinators who work with long-term care insurance (LTCI) beneficiaries seem to need a master's degree in HIPAA privacy rules to do their jobs.
A government attorney said in June that agencies had collected $10 million in HIPAA privacy and date security violation fines in the previous 10 months. Some of the targets are the kinds of big teaching hospitals that may have helped write the HIPAA regulations. What hope does a mild-mannered LTCI agent have with HIPAA when the law trips up New York Presbyterian Hospital?
Meanwhile, let's face it: In the real world, HIPAA privacy and data security organizations are mostly for the sorts of people who shun jaywalking, and for big, investigator-attracting organizations with deep pockets. When the people involved with an acute health care or long-term care (LTC) services conversation are in a good, helpful mood, and decide that the other people involved in the conversation are nice, and non-litigious, HIPAA privacy rules melt away. Doctors gossip about funny patients with their spouses. The professionals providing services for people with dementia find ways to share the necessary information with the family caregivers. Office managers tell employees that John Doe can't come in to work this week because John Doe has the flu.
To deal with the HIPAA rules, the big organizations most directly affected by HIPAA try to make folks communicate with them through secure, HIPAA-compliant communications systems. The users either cope with an attack of yet another password-protected system by trying to get by with a version of the "regular passwords that they always use," or they make a mockery of data security basics by writing the passwords down on paper -- or storing the passwords in conveniently hackable files on their computer or phone desktops.
The NSA and Russian hackers probably have installed enough keystroke lockers on enough systems that they have most of any of this information that they want stowed away in their server farms. Google openly collects enough information about all of us that it could blackmail tens of millions of us by threatening to reveal what it knows about where we itch.
This is, clearly, not a great time to try to revise HIPAA, and I fully appreciate and share the paranoia embedded in the HIPAA rules. Today, however, our personal information is already fully transparent to hackers. We need to give up on the idea that airtight security exists, simplify whatever privacy and security rules we keep, and emerge with clearer, more practical rules that support acute care and LTC communication, rather than hindering it.
Originally published on LifeHealthPro.com