GAO Report on HIPAA's first year

The US GAO has produced a report on the first year of the HIPAA privacy rule. Over at HIPAA Blog, Jeffrey Drummond has posted his own snapshot for this first anniversary:

HIPAA Blog: GAO Reports on the First Year Experience:

"Of course, Privacy 'went live' way back in April 2003. How have things gone for providers, plans and clearinghouses? For the most part, according to the GAO (Government Accountability Office, not, as I always thought, General Accounting Office), fairly smoothly. There is some confusion and challenges abound (accounting for disclosures and business associate issues are highlighted), and the general public is ill-informed of the requirements and benefits, and governmental organizations face some specific problems. Anecdotal evidence shows some over-implementation of the rules resulting in family members being excluded from access to information on loved ones, and research organizations have their own troubles as well. But overall, the implementation of HIPAA has gone fairly well.

Personally, I think this is because the medical community has always been quite good at keeping private what is supposed to stay private. HIPAA was, in large part, drafted to fix a problem that existed primarily in the minds of the paranoid and over-reactionary. Were evil drug companies and marketing firms using personal medical information for nefarious (or at least profit-driven) purposes? Sure, it happened occasionally. But the vast, vast majority (well over the Ivory Soap threshold of 99.44%) of individuals and entities that had access to personal medical information maintained the privacy and confidentiality of that information at least as well as HIPAA now mandates. It's easy to fix a problem if it doesn't really exist in the first place."