Note to self: HIPAA is broken in a big way. I went for a medical procedure yesterday and beforehand I had to sign a 2-page privacy form. Read the highlighted part at the beginning and tell me if you would even bother reading the rest. It basically says the provider has the right to change anything about its policy at any time without consent of the patient and have it apply retroactively to any patient information they’ve gathered in the past.
Hrmmmm… so lemme get this straight: it’s mandatory that we agree to a contract that says the other party can change anything at will with no consent from us, no repercussions and have it all apply retroactively to what was agreed upon prior? What’s the point in reading the rest of the agreement after that clause if they can change it to anything after the fact on a whim? That’s the equivalent of a car dealer selling you a car and putting a clause in the contract that he can change the price at his discretion after you drive off the lot and you are responsible to pay it. And not only that, but this arrangement now applies to every car he’s ever sold in the past! Would anyone ever do business with such a dealer if they had other options?
I’ve decided that HIPAA is worthless. We had to implement HIPAA-compliant security measures on an extranet project we did for a mental health provider last year but now I realize that all the technical security you put in place is pointless if the policies themselves that dictate how the information gets used (abused) can be changed at random.
It seems to me the way to fix this idiocy is not through consolidating things further by piling up more convoluted governmental policy for all medical providers but instead by purposefully fragmenting the data and eradicating the existing policies to give people choices as to who they can deal with. People will vote with their wallets as to which policies are reasonable. As it stands now you have no option- you are bound by these ridiculous policies and you are dealing with a faceless monster. And worst of all it’s not even the providers’ fault nor within their power to make things better. The bigger picture here of insurance and governmental bloat is disturbing really. Free market forces will take care of this type of nonsense if they are allowed to work on their own. The role of this country’s administration should be to ensure that free market forces are allowed to do their thing unencumbered, not to legislate and enforce laws about what can be done with information.
There are no less than ten other nonsensical clauses in this swiss-cheese-of-a-privacy policy. This document would simply not fly in a consumer-facing, unregulated business. You can read the whole ridiculous medical privacy policy here if you feel so inclined. Sorry for the rant but this really is just idiocy plain and simple.
I think the wording in the privacy statement is to cover themselves should HIPAA regulations change, and they need to update the privacy statement.
If I remember correctly, the privacy statements are not issued by HIPAA, rather HIPAA mandates that health care providers have privacy statements that meet their guidelines.
I worked in the health care field for a long time, and while the guidelines are, sometimes a pain to follow, they are ultimately there to protect the patient (which in some cases may be ourselves)
“It seems to me the way to fix this idiocy is not through consolidating things with more over-arching government policy that applies to all medical providers but rather by purposefully fragmenting the data and eradicating the policies to give people choices as to who they can deal with. People will vote with their wallets as to which policies are reasonable.”
Right on, thank you.
[…] Read his article to see exactly how HIPAA wrote the policy so that they could thumb their noses at privacy any time they want to. […]
This policy is a joke. It would never hold up in law and you of course wouldn’t be liable or subject to changes that are made. It is just a poorly worded privacy policy. The crazy thing is that HIPAA only requires you to have a privacy policy, but there’s no controls to make it good, enforceable or appropriate.
There can be debate on this issue but I think this organization had created their own policy statement. There is no such point mentioned in the original HIPAA policy as per my knowledge.
This policy is a joke. It would never hold up in law and you of course wouldn't be liable or subject to changes that are made. It is just a poorly worded privacy policy. The crazy thing is that HIPAA only requires you to have a privacy policy, but there's no controls to make it good, enforceable or appropriate.