I was watching videos featuring witches, warlocks, dragons and trolls over the weekend.
Then I started to watch some YouTube videos from the Privacy and Security Summit that the U.S. Department of Health and Human Services (HHS) hosted last week, after the 2016 Health Datapapalooza conference.
The fantasy movies and TV series I watched featured people doing impossible things in a way that made a weird kind of fantasy sense.
The HHS conference videos featured brilliant, hard-working speakers, who are trying to achieve the noble privacy protection and patient information access goals set by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and other federal laws. Unfortunately, the regulatory framework the speakers were talking about made no logical sense whatsoever.
In recent months, HHS has imposed a $239,8000 HIPAA penalty on a home care agency because a worker broke company rules and took patient records home with her, in her car, in a not-very-secure way — presumably so that she could, you know, use the information in the records to provide care for people in their homes.
HHS then set patient health record access guidelines. Under the guidelines, any issuer of long-term care insurance (LTCI) or other health-related insurance must be prepared to send an insured’s records to the insured, or to some other party, within 30 days of getting a request. Even if the records are 50 years old and stored in trash bags in salt caves in Utah. The insurer can charge the insured modest copying and postage fees, and that’s it.
The HHS Office for Civil Rights (OCR) is in the process of organizing HIPAA health data protection, breach notification rules and privacy compliance audits. The HHS inspector general in charge of making life miserable for the OCR people is pushing the OCR people to get tough on the entities going through the audits.