We All Live in a Ninny Nanny Land

Published March 5, 2013

Anyone who still believes that the United States of America has a “free” market economy has obviously not taken a look at the health care sector lately.  Speaking as a practicing lawyer, one reliable measure of how heavily-regulated an industry may be is how many lawyers it keeps employed, both directly and indirectly.

Already one of the most heavily regulated industries on earth, the American health care sector in the wake of the Affordable Care Act, aka “Obamacare,” has become one huge rent-seeking missile for lawyers.

Consider, for example, the Health Insurance Portability and Accountability Act, commonly referred to as “HIPAA.”  You probably know it as the statute that requires delivery of pounds of paperwork regarding your privacy rights directly to your mailbox while the receptionist, when it comes time for your appointment, continues to call your name loudly in front of everyone else in the waiting room.

But as medical care providers have moved increasingly towards keeping records electronically rather than on paper and therefore turn like the rest of us to “business associates” to manage electronic information, recent HIPAA revisions have been required to redefine what it means to be a business associate, to redefine rules for notifying patients and the government of potential privacy breaches and, of course, to redefine HIPAA’s “penalty structure.”

In 2009, as the Chicago Daily Law Bulletin recently reminds us, our acronym-loving Congress gave us the Health Information Technology for Economic and Clinical Health Act – or “HITECH” – as part of the Orwellian-named American Recovery and Reinvestment Act of 2009 (ARRA).  (You’d think they could have at least called it the American Recovery and Government Help! act, or “ARGH!”)

In keeping with the current administration’s “nudge” theory of incentivizing certain behaviors, ARRA (or ARGH!) aims to create a national care information technology infrastructure, together with “specific incentives designed to accelerate the adoption of electronic health record systems among providers” while still, of course, ensuring your medical privacy.  With ever-increasing cyber-attacks on American computer databases from China, al-Qaeda, and Iran, what could possibly go wrong?

The published “interim final” regulations just for “Breach Notification for Unsecured Protected Health Information” run to over thirty full pages in the Federal Register, and if you really want to read them you can find them here.  But let me save you some trouble:  according to the Department of Health and Human Services website, “This new federal law ensures that covered entities and business associates are accountable to the Department and to individuals for proper safeguarding of the private information entrusted to their care.”

Got it?  Good.  Because if you’re a “covered entity” or “business associate” and you “secure health information as specified by the guidance through encryption or destruction,” then according to HHS you are “relieved from having to notify in the event of a breach of such information.”  (Fortunately, for your convenience, this guidance will be “updated annually.”)  But if you don’t, then you must inform the affected patients and the U.S. Department of Health and Human Services, and you may get fined – as much as $50,000 per violation, depending on severity and circumstances – and according to a practitioner quoted in the Law Bulletin story each record that gets released is its own violation.

So if you’re a provider or a business associate, be sure you don’t go leaving your laptop containing patient information on the bus or the train.  But according to another practitioner quoted in the same story, a lot of lawyers will set up a “business associate agreement” for the same $50,000 that you might get fined if you don’t have one.  And if you’re a patient and the Chinese or al Qaeda nonetheless gets hold of the records of your last prostate exam, then at least the U. S. government can collect a fine from your health care provider or its business associates.

In the end, then, everybody wins – except for common sense, the taxpayer, and the hopes of streamlining government in the wake of sequestration.

Welcome back to Nannyland!