On Thu, 2006-05-18 at 22:15 +0200, Marcus Brinkmann wrote: > In an article "Justice Department Opinion Undermines Protection of > Medical Privacy", from 7th of June 2005, Peter P. Swire, who was > involved in the creation of the rule, says that "Industry pressure has > stopped HHS from bringing a single civil case out of the 13,000 > complaints", and heavily critizes an opinion that "essentially makes > the privacy rule into a voluntary standard".
Yes. As I said, the regulation itself has serious problems -- including enough internal contradictions that it is technically impossible to comply. After all of the arguments go back and forth, and the dust settles, this is the real reason that industry has resisted so hard and enforcement has not been possible. However, industry has not been arguing that a regulation of this form incorporating mandatory computational enforcement of privacy guards is a bad idea. They have been arguing that it is improper to enforce a regulation that cannot, in principle, be satisfied because of its own internally contradictory requirements. The likely outcome, over time, is that HIPAA will get revised progressively to resolve the major confusions, and the rest will be resolved by precendent in civil litigation over time. However, none of this will change the basic fact that *everyone* (including the hospitals!) agrees with: there is a real requirement for computer-enforced compliance on medical privacy, because the social process of enforcement wasn't working. The current problem with HIPAA is not a failure of the social enforcement process. It is a failure of the social process of specification, and that is slowly being corrected. What we are seeing is a struggle to accurately capture a properly balanced objective, but there is universal agreement that some form of digitally enforced disclosure control will be part of the technical solution. shap _______________________________________________ L4-hurd mailing list [email protected] http://lists.gnu.org/mailman/listinfo/l4-hurd
