I was watching videos featuring witches, warlocks, dragons and trolls over the weekend.

Then I started to watch some YouTube videos from the Privacy and Security Summit that the U.S. Department of Health and Human Services (HHS) hosted last week, after the 2016 Health Datapapalooza conference.

See also: 3 reasons HIPAA audits might not be that bad

The fantasy movies and TV series I watched featured people doing impossible things in a way that made a weird kind of fantasy sense.

The HHS conference videos featured brilliant, hard-working speakers, who are trying to achieve the noble privacy protection and patient information access goals set by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and other federal laws. Unfortunately, the regulatory framework the speakers were talking about made no logical sense whatsoever.

In recent months, HHS has imposed a $239,8000 HIPAA penalty on a home care agency because a worker broke company rules and took patient records home with her, in her car, in a not-very-secure way — presumably so that she could, you know, use the information in the records to provide care for people in their homes. 

HHS then set patient health record access guidelines. Under the guidelines, any issuer of long-term care insurance (LTCI) or other health-related insurance must be prepared to send an insured’s records to the insured, or to some other party, within 30 days of getting a request. Even if the records are 50 years old and stored in trash bags in salt caves in Utah. The insurer can charge the insured modest copying and postage fees, and that’s it. 

The HHS Office for Civil Rights (OCR) is in the process of organizing HIPAA health data protection, breach notification rules and privacy compliance audits. The HHS inspector general in charge of making life miserable for the OCR people is pushing the OCR people to get tough on the entities going through the audits.

Meanwhile, in the real world, most computer users have a hard time remembering more than one or two of the “strong” passwords they’re supposed to use. They cope with the password burden with strategies that make the strong passwords nearly powerless.

Some of the safeguards companies use to keep users from accidentally letting viruses in also keep users from installing software updates in a timely fashion. So users face the possibility that they’ll get hacked because of the safeguards that are supposed to keep them from getting hacked.

Doctors, hospital administrators and long-term care (LTC) facility administrators use HIPAA privacy as a shield against extra work or unwanted scrutiny when that seems appropriate. But then, sometimes, when the doctors and care managers know they need to share information, they just lower their voices and share whatever information they want to share with any people who seem to be in a position to help the patient. Because, really, what else can the doctors do? A patient has a right to privacy. But a frail elderly patient may also need help from a friendly neighbor who has no official relationship with the patient and no release forms. The HIPAA rules are creating what amounts to a health information exchange underground in every doctor’s office, every hospital and every LTC facility.

The bottom line is that Congress and regulators have created a system that sounds nice but requires the impossible. The more agencies try to keep the rules as-is, without finding ways to delay or adjust the rules, the bigger the gap between what the rules require and what the parties subject to the rules actually do will grow.

Policymakers need to set more modest goals and focus on helping organizations that are run by ordinary mortals protect their computers, not go around threatening organizations with audits and fines over failures to comply with rules that only a HIPAA sorcerer can understand.

See also: Lawyer on HIPAA Phase 2 audits: Take the rules seriously

  

Have you followed us on Facebook?