Thank you once again Uncle Sam for doing everything within your power to stifle innovation. With the Health Insurance Portability and Accountability Act – HIPAA, you may have well reached the pinnacle of unnecessary, burdensome hurdles for an industry that needs innovation more than any other. I realize it’s been around a long time, but until I was confronted with it from the technology side, I wasn’t aware of how badly HIPAA has affected the medical profession, and by extension, our own health care.
I occasionally work as an independent software project manager, working on behalf of clients needing software and acting as their advocate with whomever they choose to develop their products. Recently, I worked for a family practice physician. He had a terrific idea for a mobile application that would not only help him and others in his profession, but it would also provide a better experience for their patients. My job was to develop the specifications for the project and to help him in finding the best developers, then guide him through the completion of the project. It turned out to be one of the most stupefying experiences in my professional life. After completing my assessment of the HIPAA requirements, I concluded the length of time to complete the project would triple, the cost for developing and operating it would quadruple, and the business case was all but destroyed. All of this due exclusively to HIPAA.
Software development is hard enough without facing bureaucratic obstacles at every step. I’ve had my share of that, so it wasn’t totally unexpected, but the degree to which HIPAA adds stumbling blocks was beyond anything I have ever experienced. I spent the last 10 years of my professional life as a software engineer while on active duty in the Air Force. I had confronted and successfully navigated many bureaucratic obstacles during that time. Subsequent to my military life, I developed software for the banking industry. There were plenty of government regulations there too. But none of that compared even slightly to the extraordinarily absurd monster known as HIPAA. The hurdles to innovation as well as the negative economic impact put in play by HIPAA are nearly incalculable, but be assured, they are staggering. By extension, that translates into poorer health care for us all.
Within HIPAA, there is something commonly referred to as The Security Rule, which became effective in 2004. It’s intent is to protect the privacy of patients. Nothing exemplifies how over-regulation cripples business and innovation like this rule. Only our Federal government can take a routine concept as simple as providing privacy and security of data and make it into the complex, counterproductive, inefficient and ineffective pile of bureaucratic nonsense that it has become. I won’t bore you with the technical details because 1) they are nearly indecipherable, and 2) nobody would read an article with all that mumbo jumbo in it.
The HIPAA Security Rule’s purported goal is to ensure that access to and the subsequent transmission and storage of that data must be protected. It sounds pretty simple, doesn’t it? Consumers deal with data like this nearly every day. Access to our private data, typically requires a user ID and password. Yes, sometimes they get compromised, but even when it does, it’s not a national security threat. If we want extra security, we ensure the data is encrypted while it is just sitting there and while it is in transit, whether in the cloud, our local hard drives, or even our mobile devices. To put this in perspective, if financial data were subjected to the same rules as medical data, you would never be able to access your financial data online or from a mobile application. We have adequate and strong protection mechanisms to support that now and we seem to be getting along fine, albeit with a few notable hack attacks scattered here and there. And with those, we have plenty of methods for correcting the problem. Apparently though, in its infinite wisdom, the government has decided the security that’s good enough to protect us when we log onto our bank using a mobile application isn’t good enough to let us communicate with our doctors in the same ways.
We all remember the incident a few months back when the FBI was frustrated because they couldn’t access the data on the phone of the terrorist that killed so many people in San Bernardino. Apple figured out how to do that in a simple and shall I say, effective way. The technology was sophisticated, but the processes were drop dead simple: Encrypt the data on the phone and require authentication to access it. If repeated incorrect attempts occur, destroy the data. If Apple can deploy mechanisms to protect data sufficient to thwart the FBI, don’t you think they could do it for medical applications without the government telling them how to do it?
Back to HIPAA. Every single data application that deals with patient information is required by law to be compliant with the HIPAA Security Rule. That compliance is where everything falls apart. Rather than adopt some common sense measures, they made the process for achieving compliance nearly impossible without weaving through a mountain of bureaucratic, often misleading and contradictory rules written by rule monkeys. The nightmare is so confusing, that an entire cottage industry has grown to help software developers comply. And quite frankly, my assessment of those vendors, their products and services, is no less confusing and overly priced.
There are cloud services for databases, emails, and various other time tested technologies that claim to comply with that mysterious Security Rule. Ah, but those tools aren’t nearly as sophisticated as they need to be, they often are full life cycles behind in technology, and they are ridiculously expensive. They are so unwieldy, inflexible and expensive that entrepreneurs are unable to make a business case for developing the products they need by using them. If they could access the vast tools that are supposedly non-compliant, but widely available and inexpensive that meet the technical needs of the product, they could more easily implement and field products that may well help save lives in the future. At the very least they would make health care more accessible and convenient, easier for physicians and other health care workers, and at a lower price. And let us not forget. It would improve our entire health care experience.
There are other barriers too. If someone develops a product they believe to be compliant, but it turns out later not to be, they are subject to enormous fines – I’m talking put doctors out of business and into bankruptcy kind of fines. The feds have “enforcers” anxiously awaiting the opportunity to find these hidden jewels in practices and hospitals everywhere. And to make matters worse, there is no way to get a product certified. That’s right, a software developer has to hire teams of lawyers to file through gobs of government regulations to make sure their product meets the requirements.
What is the result of this cartoonish nightmare? Entrepreneurs and innovators everywhere avoid entering the field of health care. It is so bad, that most venture capitalist firms refuse to even consider investing in health care applications. The sad part is that the goals of the Security Rule could easily be accomplished without all the unnecessary bureaucratic nonsense. I honestly believe I could write an adequate specification for the HIPAA Security Rule on a single page, using a large font size with triple spacing and still have a half a page left empty. Something like the following.
All medical records that can reasonably be associated with any patients must be protected using the following two requirements.
- Access: Authentication sufficient to meet the standards currently employed by financial institutions for remote access.
- Data in transit and at rest: Data must be encrypted using AES 256 bit encryption.
Let the lawyers put their scent on it, but with the requirement that it cannot exceed more than 300 words in length. This of course would require applying common sense, and we all know that government bureaucracies are practically incapable of that function. Nearly all businesses, even startups are faced with government imposed hurdles. The medical industry is just a single example of a giant web of unwieldy, unproductive, and unnecessary obstacles put forth supposedly to protect consumers. Pick any other regulated industry, and you’re likely to find the same. Ask a banker how much the cost of compliance has increased in the last decade. You’ll get similar answers. And what do we get for that? In the end, the harm far outweighs the benefits and the costs of compliance are directly transferred to us, the consumers. As is typical of government regulation, the cure is worse than the disease.