By Erin Sherbert
By Erin Sherbert
By Leif Haven
By Erin Sherbert
By Chris Roberts
By Kate Conger
By Brian Rinker
By Rachel Swan
Closer to home, the dangers inherent in HIPAA's dilution of probable-cause standards have not escaped Dennis Scott, the chief HIPAA compliance officer for the city of San Francisco. If the police or federal agents ask San Francisco Department of Health employees for patient medical records, city workers are instructed to contact Scott, who favors "giving up medical records only with a judicially approved court order, as opposed to the wave of a badge."
Loren and Ron Morgan live in Bernal Heights -- the San Francisco neighborhood that feels like a small town -- with their three teenage daughters, Reed, Maud, and Phoebe. Ron says that he got a HIPAA notice at his doctor's office recently. "I thought it was a formality, didn't bother to read much of it. I saw the words "due process' and figured that it protected us, so I signed."
Later, Ron and Loren read the small print. "This makes me mad," Loren says. "What do they want with my children's files, our psychotherapy records?"
"I always thought our records were private," Ron says, swearing softly.
"This makes me want to leave the country," exclaims Loren.
As America grows progressively more HIPAA-aware, millions of people may begin to have similar reservations. Because of a Catch-22 literally written into HIPAA, however, there will be very little they can do to challenge government requests for their medical records.
Under HIPAA, doctors, HMOs, and other medical professionals are prohibited from telling the Morgans (and nearly 300 million other Americans) when their medical records have been requested or seized via administrative subpoena, or simply handed over voluntarily by HMOs eager to curry favor with law enforcers and secret agents. Unless the feds decide to tell them, they will never know what the government knows about their medical and psychiatric history.
Lord of the Files
The government giveth standards for electronic medical records so the government can taketh away the records later
The Health Insurance Portability and Accountability Act is not only intended to govern who has access to medical records. It also sets up generalized standards to govern how people store and transmit electronic records. The government estimates that the medical industry will spend $17.5 billion on equipment and software to make HIPAA electronic security standards work. As a result, during a recent cybersecurity trade show at the Moscone Center, HIPAA was more than a hot topic of discussion.
The usually invisible U.S. National Security Agency, which monitors real-time electronic communication worldwide, and the Department of Defense, which has numerous intelligence agencies under its umbrella, were at the conference. The two agencies have partnered with dozens of private-sector firms, including the Booz Allen Hamilton consulting firm and American Express, as well as the Newspaper Association of America (a trade group for newspaper publishers), to develop technical specifications for software products that will make the medical industry's computer systems "HIPAA-compliant" by the spring of 2005.
Several speakers at the security conference were concerned, however, about the potentially Orwellian effect of government micromanagement of data standards. Those standards might in some sense enhance medical privacy; they could also allow the government to access and use medical records more easily, because the government will have dictated the digital parameters under which the records must be kept.
"Before 9/11, we concentrated on how to protect consumer information," said Lance Hayden, business development manager for Cisco Systems Inc. "Now it's about how to get better surveillance. It's a complete shift in focus.
"The feds are driving the development of computer security from Echelon [the NSA program that listens to electronic communications worldwide] to HIPAA. The government is trying to pull together disparate systems of data sources and mine it for patterns and intelligence."
As a way of explaining, Hayden drew a line to represent what he calls a "continuum of surveillance." Post-Watergate laws, such as the Privacy Act of 1974, were designed to restrict the government's ability to gather personal information; they lie at one end of the line. "At the other extreme from the Privacy Act," Hayden said, "is the "panoptican' state, the total surveillance society. HIPAA falls somewhere in between -- it is the government saying, "We will monitor you.'"
Because the U.S. government sets many computer security standards and is the single biggest buyer of computer goods, the tech sector is, quite naturally, following the government's lead and money, and Cisco is no exception. The San Jose-based company is offering firewalls, encryption programs, and consulting services tailored to meet the HIPAA standards. Booz Allen Hamilton, headquartered in McLean, Va., was recently awarded a $3 million contract to train the U.S. military's 130,000 health care providers in HIPAA compliance. And the Bay Area-based Sybase Inc., which sells Patriot Act compliance software that monitors bank customers' transactions in real time for suspicious patterns, has just rolled out HIPAA Studio, a suite of medical-records software that, presumably, meets new NSA/DOD-developed security standards.
As Sybase's trademarked motto puts it: Everything Works Better When Everything Works Together.