In reviewing the various reports of HIPAA breaches as a subset of the almost every day occurrence of significant data breaches, and the recent reports of significant data breaches of information that is either entrusted to the government (e.g. medical and/or credit information) or information that the government is both logically and legally responsible for safekeeping, there seems to be a significant disconnect. With respect to HIPAA, the current regulatory environment seeks a very high level of compliance with significant fines and governmental interventions in the case of a breach, but when the government drops the ball, the most we can expect is OOPS, and maybe not even that.
Without going through the litany of recent governmental breaches, I will highlight the White House’s recent confirmation that the Office of Personnel Management suffered a SECOND cyber attack in which the data of 4.2 million Federal employees was stolen. In addition, the April 2015 report of the Office of Inspector General (OIG) reported the results of its audit of the security controls of the Department of Health and Human Services (HHS) which identified numerous deficiencies.
Imagine a father heartily puffing on a cigar, and a mother vigorously inhaling the smoke from her cigarette lecturing their teen about the dangers of smoking, while at the same time (in the name of proper parenting skills) advising their child of the consequences they would administer if their child began smoking. I imagine that at least to some, this scene would seem somewhat hypocritical.
I fully understand that there must be limitations on the ability for private citizens to sue the government and/or its employees carrying out governmental functions (sovereign immunity), but the real question is the propriety of placing standards on private industry before one cleans up one’s own house.
You may find this to be HIPAA-Critical (hypocritical)or you may feel that there is a critical need for the protections that HIPAA mandates and therefore, immunity and consequence free breaches are appropriate.
Irrespective of the answer, to the extent we can trust the government with private medical information (PHI) for its healthcare exchange, and to the extent that, at some level, the government may be competing with medical providers (e.g. various forms of Medicaid) is it appropriate to have two standards?
What do you think?