Re: Part 2: System Structure

[Jonathan S. Shapiro]

On Thu, 2006-05-18 at 22:15 +0200, Marcus Brinkmann wrote:
> In an article "Justice Department Opinion Undermines Protection of
> Medical Privacy", from 7th of June 2005, Peter P. Swire, who was
> involved in the creation of the rule, says that "Industry pressure has
> stopped HHS from bringing a single civil case out of the 13,000
> complaints", and heavily critizes an opinion that "essentially makes
> the privacy rule into a voluntary standard".

Yes. As I said, the regulation itself has serious problems -- including
enough internal contradictions that it is technically impossible to
comply. After all of the arguments go back and forth, and the dust
settles, this is the real reason that industry has resisted so hard and
enforcement has not been possible.

However, industry has not been arguing that a regulation of this form
incorporating mandatory computational enforcement of privacy guards is a
bad idea. They have been arguing that it is improper to enforce a
regulation that cannot, in principle, be satisfied because of its own
internally contradictory requirements.

The likely outcome, over time, is that HIPAA will get revised
progressively to resolve the major confusions, and the rest will be
resolved by precendent in civil litigation over time.

However, none of this will change the basic fact that *everyone*
(including the hospitals!) agrees with: there is a real requirement for
computer-enforced compliance on medical privacy, because the social
process of enforcement wasn't working.

The current problem with HIPAA is not a failure of the social
enforcement process. It is a failure of the social process of
specification, and that is slowly being corrected. What we are seeing is
a struggle to accurately capture a properly balanced objective, but
there is universal agreement that some form of digitally enforced
disclosure control will be part of the technical solution.



shap