It is argued here that there should be no barrier to individuals selling their Protected Health Information. That’s right, companies like WellPoint which was fined $1.7 million which money goes to HHS this month, July 2013, has received in exchange a Release by HHS that includes the provision that the payment by WellPoint is according to the Resolution Agreement B 3 is “Not an admission of liability by WellPoint.”
Reading through the jargon a few things should immediately hit the consumer, first, there was no bad intent found because a mere $1.7 million presumably would not have been enough to get out of trouble had there been and there’s no mention of any criminal prosecutions (as usual). Second, it likely cost both parties, the government and WellPoint around as much or more in prosecuting and defending the situation. Third, there is NO recourse for the 612,000 people who were casualties of WellPoint’s corporate “Whoops.”
Let’s figure that one out, you can read it for yourself by searching HHS.gov “WellPoint pays HHS $1.7 million for leaving information accessible over Internet.
FIRST, WellPoint informed on itself according to the statement of facts, notifying HHS in June of 2010 regarding a “breach of certain of its unsecured ePHI (electronic protected health information).
SECOND, from 10/23/09 until 3/7/10 “WellPoint impermissibly disclosed the ePHI including names, dates of birth, addresses, Social Security Numbers, telephone numbers and health information of 612,000 individuals whose ePHI was maintained in the web-based application database.”
THIRD, HHS gets $1.7 from WellPoint in July 2013.
FOURTH, Individuals exposed to privacy violations get nothing.
I have always taken issue with HIPAA in terms of its effectiveness and its failure to provide financial remedies to the individuals whose privacy rights are violated. (examples include post entitled “Electronic Health Records: Has President Obama Gone Rogue?” where on 6/25/12 I discussed Obama’s push for electronic health records, and as far back in May of 2008, in a posting, “HIPAA: Get rid of it and save some Fed $,” where I argued that we should save money by getting rid of HIPAA.
All these years later, I believe that IF HIPAA is here to stay, then companies should remain obliged to perform the administrative junk work for HIPAA, including the self-reporting requirements which have companies turning themselves in for HIPAA violations, BUT that individuals affected by NEGLIGENCE, the civil side of HIPAA violations as opposed to criminal violations, should be the ones making deals through agreements that provide for no admission of liability on the company’s part and receiving payment for the provision of a release much like the Federal government is doing on their behalf.
Today, there is little to no recourse provided for or available to individuals such as the 612,000 whose information was released by WellPoint. HHS collected a slap on the wrist fine from WellPoint but the individuals whose information is out there received nothing. It would be far better for consumers to have the option to sell their own personal health information.
