http://emergentchaos.com/archives/2006/10/health-care-privacy.html The Emergent Chaos Jazz Combo Wed, 01 Feb 2012 19:20:40 +0000 hourly 1 http://wordpress.org/?v=3.3.1 http://emergentchaos.com/archives/2006/10/health-care-privacy.html/comment-page-1#comment-2788 aig insurance Mon, 13 Nov 2006 10:15:56 +0000 http://emergentchaos.com/?p=2032#comment-2788 aig insurance aig insurance

]]> http://emergentchaos.com/archives/2006/10/health-care-privacy.html/comment-page-1#comment-2787 Allan Friedman Thu, 26 Oct 2006 15:06:41 +0000 http://emergentchaos.com/?p=2032#comment-2787 I've been playing around in healthcare privacy recently, doing some case studies for what will hopefully be a decent simulation-driven project about data flow management. A few observations: 1) The current perceived problem in healthcare IT is not "too much info sharing" but rather, "too little info sharing." A shift towards electronic data access is supposed to a) make care administration cheaper b) reduce error and c) massively improve research opportunities for systematic care. HHS is trying to overcome substantial obstacles to make any coordinated progress towards interoperable record systems. 2) Most practitioners I talked to view HIPAA privacy requirements to be onerous and impede care. I assume that many patients and their loved ones do as well. Very little buy-in from the people involved. 3) Medical institutions are massively decentralized, so figuring out who to talk to is very hard. Often, there isn't even a single party responsible: in a data mishap involving multiple parties, do you target the primary care physician, the specialist or the lab? 4) Fines work when there is a baseline of good behavior: they provide a strong incentive to maintain that good behavior. The problem is that we aren't even terribly close to building a universal model of what good behavior is. There is massive heterogeneity across the set of behaviors inside an institution, and between institutions. The first goal of compliance is to actually have a sensible and practical privacy policy, which is pretty hard to come by. 5) The most interesting challenge to me is the Clinton example: if 30 people viewed Clinton's record, and 13 actually needed to, how do you tell the difference between rubber-necking and care delivery? You've got an institution with thousands of employees who *may* need to look at any one record, but probably shouldn't; failure to grant access to the appropriate person can literally be a matter of life and death. What is an efficient way to protect privacy in this case? If nothing else, HIPAA is making it damn hard for me to do my research :) I'd love to get my hands on HHS' complaint file. I’ve been playing around in healthcare privacy recently, doing some case studies for what will hopefully be a decent simulation-driven project about data flow management. A few observations:
1) The current perceived problem in healthcare IT is not “too much info sharing” but rather, “too little info sharing.” A shift towards electronic data access is supposed to a) make care administration cheaper b) reduce error and c) massively improve research opportunities for systematic care. HHS is trying to overcome substantial obstacles to make any coordinated progress towards interoperable record systems.
2) Most practitioners I talked to view HIPAA privacy requirements to be onerous and impede care. I assume that many patients and their loved ones do as well. Very little buy-in from the people involved.
3) Medical institutions are massively decentralized, so figuring out who to talk to is very hard. Often, there isn’t even a single party responsible: in a data mishap involving multiple parties, do you target the primary care physician, the specialist or the lab?
4) Fines work when there is a baseline of good behavior: they provide a strong incentive to maintain that good behavior. The problem is that we aren’t even terribly close to building a universal model of what good behavior is. There is massive heterogeneity across the set of behaviors inside an institution, and between institutions. The first goal of compliance is to actually have a sensible and practical privacy policy, which is pretty hard to come by.
5) The most interesting challenge to me is the Clinton example: if 30 people viewed Clinton’s record, and 13 actually needed to, how do you tell the difference between rubber-necking and care delivery? You’ve got an institution with thousands of employees who *may* need to look at any one record, but probably shouldn’t; failure to grant access to the appropriate person can literally be a matter of life and death. What is an efficient way to protect privacy in this case?
If nothing else, HIPAA is making it damn hard for me to do my research :) I’d love to get my hands on HHS’ complaint file.

]]> http://emergentchaos.com/archives/2006/10/health-care-privacy.html/comment-page-1#comment-2786 Chris Thu, 26 Oct 2006 11:39:30 +0000 http://emergentchaos.com/?p=2032#comment-2786 Regarding the last quoted paragraph -- how does needing to change only when you are caught breaking the rules encourage you to not break those rules? Face it -- "voluntary cooperation" ONLY works when actors want to cooperate, either because it makes economic sense for them to do so, or (dons sociologist hat) because the normative structure is one in which cooperation is deemed desirable by those actors. The Clinton example demonstrates that the latter is not the case, and it is obvious that the former isn't either. Regarding the last quoted paragraph — how does needing to change only when you are caught breaking the rules encourage you to not break those rules?
Face it — “voluntary cooperation” ONLY works when actors want to cooperate, either because it makes economic sense for them to do so, or (dons sociologist hat) because the normative structure is one in which cooperation is deemed desirable by those actors. The Clinton example demonstrates that the latter is not the case, and it is obvious that the former isn’t either.

]]>