Nonetheless, this mastery of batting the ball and shaking and gyrating the machine came to an end for even the most skilled of pinball wizards. Many players would continue to shake and gyrate the machine after their last steel ball (back than you got at least 3 balls) had fallen, but there was simply no denying the reality of what the scoreboard prominently displayed in bold letters...GAME OVER !
Sure, those with paper routes or other sources of quarters could keep pumping legal tender into the system to give it another go around, but the result was inevitably the same. Eventually you have to give into reality. You can't bat the ball around forever.
The idea of health care organizations having to take responsibility for security and privacy in an ever expanding digital age is certainly not new. The first HIPAA regulations passed in 1996. I am no math genius, but that is about 14 years by my calculations. In 14 years, however, health care organizations and providers have been lax in dealing with security. I currently serve on the CalPSAB security steering committee, and that seems to be something we all agree on (actually, we seem to agree on a lot more than that). Having just returned from the Safeguarding Health Information: Building Assurance through HIPAA Security conference in Washington DC, it seems quite clear that the Office of Civil Rights (OCR) and Federal Trade Commission (FTC) are also aware that a lack of due diligence on the part of health care practitioners (and business associates) with respect to security and privacy has gone on long enough.
Nonetheless, we still see organizations (such as The American Medical Association, American Osteopathic Association and Medical Society of the District of Columbia) fishing for more quarters to pump into the machine.
Hey! Why not? They have plenty.
In an article published on the excellent Health Data Management Blog, the author references a lawsuit filed by the aforementioned entities. The essence of the lawsuit is that health care organizations do not want to fall under the authority of the FTC with respect to the "Red Flags" rule the FTC currently requires creditors to abide by. The (ridiculous) claim being made by the filers of the lawsuit is that (from the article):
Among other factors, the medical associations argue that physicians are not commonly referred to as "creditors," nor are patients ordinarily thought of as "account holders" or "customers."
Wow! Am I understanding this correctly? This is coming down to a definition of what a "creditor" or "customer" is?
At the Washington DC meeting one of my takeaways was that OCR is really putting the hammer down, and perhaps they should consider less "stick" and more "carrot" in dealing with organizations that have to comply with the rules. However, when I witness the equivalent of a bunch of pinball wizards banging on a machine as they fish for more chances to avoid the inevitability of owning up to the fact that batting balls around eventually loses its charm, I shed some of my sympathy.
The Health Care Industry simply cannot keep playing this game forever. It is time to focus their energy on ways to address security and privacy concerns in a meaningful way, and stop fighting what is inevitable.