Past Releases and Reports
About Privacilla
Privacy Fundamentals
Privacy and Government
Privacy and Business
Online Privacy
Financial Privacy
Medical Privacy
Send a secure e-mail to Privacilla!
Your Source for Privacy Policy from a Free-market, Pro-technology Perspective

Click to return to the Privacy and Business outline

Home > Privacy and Business > Medical Privacy > Current Issues: > HIPAA Security Standards

HIPAA Security Standards

The security standards proposed under the Health Insurance Portability and Accountability Act by the Department of Health and Human Services reiterate the need for security practices that are already dictated by the business interests of health care providers and by existing law. Thus, while it is useful to be reminded of good security practices, placing security standards in a regulation merely increases the chance that health care providers will suffer administrative penalties, adverse publicity, and higher costs without increasing the security or privacy of health care information.

There are inherent tensions between the security standards and the proposed privacy standards. The access provisions, which give individuals the right to inspect and copy their health information, may require health care providers to compromise the security of records, putting themselves at risk of administrative penalties and further regulation, while raising the cost of health care.

Evidence for this comes from the world of banking and finance, where private investigators and fraudsters make "pretext" calls to gain access to private financial records. Claiming to be a customer, they will use Social Security Numbers, mothers' maiden names, and other information to learn account balances, transaction histories, and so on. This has been one of the major arguments for increasing regulation in the financial services sector. The access provisions of the proposed privacy regulation compromise security and open health care providers to pretexting.

Because information technology is changing quickly, the proposed security regulations also stand a particularly good chance of being reinterpreted by HHS. Under the Supreme Court's Seminole Rock decision, HHS could change the way it interprets its regulations without commencing a new rulemaking. In the worst case, this means that HHS could change its interpretation of a regulation and immediately enforce the newly interpreted regulation against health care providers. This is unfair, of course, and it would also raise the cost of health care without particularly improving the security or privacy of health information.


Comments? (Subject: HIPAASecurity)

[updated 9/4/00]

©2000-2003 All content subject to the Privacilla Public License.