This is evil shit you’re saying (I’m being a bit dramatic, sure). Healthcare is made more expensive by all these rules about IT. Life or death depends on keeping costs down and making it seamless for doctors to share information with one another. It isn’t some catastrophe if a breach happens. They’ve happened before, yet people have not been getting their private health information published in the local newspaper.
Healthcare is made more expensive by all these rules about IT.
Healthcare is made more expensive by a lot of things. Sometimes the cost of treating one specific condition affecting one specific individual right now isn't the only thing that matters.
It isn’t some catastrophe if a breach happens.
Given that we're potentially talking about sensitive personal data, that is a wildly unsafe assumption. Sadly our society has and probably always will have both widespread cultural prejudices and individual personal prejudices against people who have or have had certain conditions, who are receiving or have received certain treatments or procedures, and so on.
If a computer wasn't fully encrypted but no identifiable data ever actually leaked then sure, that's a technicality but no real harm was done on that occasion. If a computer with a list of everyone who say had an abortion or received treatment for their mental health in the last decade was held insecurely and that data was leaked to the wrong people after a breach then that could profoundly affect or in the worst case even endanger the lives of the people involved.
Shouldn't be seamless, on the contrary. Full of seams. Go back to pencil and paper, better. That was a better system on all counts.
Like actually getting my private health information published in the local newspaper--in particular regarding my psychiatrization and torture--is much, much better than creepy standardized test cheaters knowing all my secrets and nobody else knowing anything. That's what I'm doing these days.
In fact I would say the system works far too well, it's very easy for doctors to gossip in their seamless channels and far too hard to stop my psych record--like it was a prison record or a warrant or some actual judgment by a worthy authority--getting around behind my back. I still can't see it myself. I'm expected to believe I have a doctor who advises people paying for my treatment and I've never met this asshole. Hundreds, even thousands of pages and I can't see any of it, it's like a Kick Me on my back, but a biography, a Kick Me epic. Jorge Barros Beck has a few hundred pages, Ximena Rojas Núnez has some, Stanford CAPS has some, that asshole I told you about, then "Clínica" Rayencura produced a couple hundred (they have a former trained journalist called Gonzalo, former junkie too, working to fill out accusative, slanderous dossiers on people, he doesn't say shit he just writes shit, only shit, lots of shit).
I worked in three different healthcare technology companies (for doctors, pharma, and insurance).
1. In not a single case was compliance with HIPAA rules ever a cost center beyond the initial project to implement controls, and that itself wasn’t a huge project. For most organizations, compliance with the guidelines is simply good data security. It’s like calling any internet security expensive and unnecessary.
2. Doctors can share data. They have tools to share it in their EMRs, and there are no restrictions to sharing it with other healthcare providers during the course of care.
3. The security and privacy rules are almost entirely about the preventive of public, accidental, or unauthorized disclosure, and also about giving patients access whatever data you hold on them.
4. Why would newspapers want to publish random people’s healthcare information? Unless it was part of a piece targeting a famous/influential person or medical practice, in which case yes, if they access and publish individuals’ healthcare information without consent, that’s a breach of privacy that can be challenged in court. The law isn’t about the damages per se, it’s about the breach of privacy and confidentially.
That’s a comment from 2013, now 9 years ago. Since then, healthcare technology has really changed. Compliance and auditing are pretty standard with easy to follow playbooks, and there are plenty of off the shelf tools HIPAA-compliant as soon as you sign a BAA with them. If you’re in health tech, this is the floor, not a high bar.
That said, there can be a few times when your comment accurately describes what’s going on:
- a non health tech vendor needs to comply with a healthcare client’s needs and they are navigating HIPAA and HITECH for the first time.
- this is often paired with a situation where the company never refactored their SaaS software past mvp prototype phase and so they have no logging or controls and effectively need to rebuild their entire system to be security first, and healthcare regulations are just one of the factors they need to consider as they expand markets they service.
- a company is concurrently trying to get SOC and/or other certifications. Those get pretty intense.
For situations 1 and 2, that’s when a lot of vendors will explicitly say they aren’t HIPAA compliant and choose not to serve healthcare partners (vendor evaluation in healthtech is a pain in the butt because of that). For situation 3, yes, that’s a pain. My own team went through that and it was a year-long process.
That said, there is an initial upfront cost with regards to documentation. However what most people complain about are the requirements to retrain all employees semi-annually on data privacy and protection best practices, which kills a full day or two of company productivity.
