By Daniel J. Solove
Whenever I go to a doctor and am asked what I do for a living, I say that I focus on information privacy law.
“HIPAA?” the doctors will ask.
“Yes, HIPAA,” I confess.
And then the doctor’s face turns grim. At first, it looks like the face of a doctor about to tell you that you’ve got a fatal disease. Then, the doctor’s face crinkles up slightly with disgust. This face is so distinctive and so common that I think it should be called “HIPAA face.” It’s about as bad as “stink eye.”
“Oh, that’s nice,” the doctor says.
I often leave it at that, because if I say more, I might end up with a scalpel sticking out of my chest.
For so many healthcare providers, HIPAA is a source of great aggravation. It’s difficult. It’s boring. It seems to consist of a lot of inconvenient and costly requirements.
I believe that these attitudes about HIPAA are due to a failure to educate healthcare professionals about the reasons why HIPAA matters. HIPAA is not about doing all sorts of needless things for their own sake. It is about protecting patients.
A recent article in the Wall Street Journal describes the problem of medical identity theft, a problem that is rising dramatically. I blogged previously about the problem of medical identity theft, and I believe that significant attention must be devoted to this problem. According to the WSJ article: “Unlike in financial identity theft, health identity-theft victims can remain on the hook for payment because there is no health-care equivalent of the Fair Credit Reporting Act, which limits consumers’ monetary losses if someone uses their credit information.”
Medical identity theft is on the rise. It affected 2.3 million people in 2014. This chart shows how rapidly it is growing.
Medical identity theft is quite costly. According to a Ponemon study, “65% of victims reported they spent an average of $13,500 to restore credit, pay health-care providers for fraudulent claims and correct inaccuracies in their health records.”
The WSJ article explains why medical identity theft is so prevalent and why it is so damaging:
Thieves use many ways to acquire numbers for Social Security, private insurance, Medicare and Medicaid. Some are stolen in data breaches and sold on the black market. Such data are especially valuable, sometimes selling for about $50 compared with $6 or $7 for a credit-card number, law-enforcement officials estimate. A big reason is that medical-identification information can’t be quickly canceled like credit cards.
Another aspect of medical identity theft that causes great trouble is that the identity thief can pollute a person’s medical records with false data. This can affect a person’s treatment, and in some cases, it can be a life-or-death matter. In one case, described in the WSJ article, a woman was falsely listed on the birth certificate of an identity thief’s baby. The baby was born addicted to meth, and the identity theft victim was wrongly pursued by child-protective services for a baby she never gave birth to.
This is the human side to HIPAA. For healthcare providers, HIPAA need not be overly complicated or boring or tedious. I believe that good education about HIPAA is key. Healthcare workers must understand HIPAA clearly and concretely, and they must understand why HIPAA has the requirements it does. They must understand the human side of HIPAA. When they do, their attitudes change, HIPAA is not as bad as they believed it to be.
So I propose the following motto for HIPAA: If you care about patients, you should care about their data.
I hope that one day, when I go to the doctor’s office and start speaking about HIPAA, I can say: “I love HIPAA.”
And the doctor will reply: “I love it too.”
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is a “LinkedIn Influencer.” His blog has more than 900,000 followers.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 21-23 in Washington, DC), an event that aims to bridge the silos between privacy and security.