While there has been no lack of security breaches in the healthcare sector, despite what many claim as the Holy Grail of privacy protection, HIPAA, there have been very few actual fines for HIPAA violations. Like any regulation, if it is not enforced with actual penalties, than very little will be done to correct problems that exist today to insure the privacy and consumer health records are preserved.
Imagine my surprise when I saw this story that Providence Health out in Seattle would have to pay a fine for a number of security breahes that occured at their facilities. Like most breaches of this kind, it took Providence far too long to let consumers know their privacy had been compromised. To make matters worse, Providence first stated that the theft would be harmless as the stolen tapes that held the records were not easily readable. A real case of foot in mouth when later, consumers started getting suspicious calls requesting social security numbers, credit card numbers and the like.
Quite a shameful state of affairs.
The fine levied against Providence was nary a slap on the wrist, despite the outlandish blunders on their part. Granted, it was one of the first times that any HIPAA enforcement action of this type has ever been taken, but if HHS is indeed serious about stemming such privacy breaches, they have to make the penalties sting. With Providence reporting revenue in 2005 of over $5.5B, the $100,000 fine represents a paltry sum indeed. Doubt it will even show up in their financial reporting.
Healthcare institutions of all sizes have, by and large, poor processes and business practices to protect consumer health records. This will continue until the fines and potential bad publicity exceed the costs to actually change existing practices.
Applying HIPAA to non-covered entities will not solve the issue of consumer privacy protection for new services such as PHRs or Personal Health Systems (PHSs). What will address the problem is business risk. If for example, Google had a privacy breach of Google Health, the bad publicity would be a huge blow to their efforts in this space. Same is true for others such as WebMD, Revolution Health, Microsoft, etc.
What is needed and maybe something HHS should consider applying to HIPAA covered entities as well is something similar to what Markle recently published, a privacy framework as part of their Connecting for Health initiative. The privacy framework not only discusses IT architecture and business process to insure security, but also addresses process by which consumers are notified if records are compromised.