Protection of PII has, for a long time, been a central tenet of USA-based health care IT (due to the HIPAA / ARRA-2009) regulations.
It's possible to do that fairly well, and still leave need-to-know exceptions. (The subsititute nurse on the intensive care unit needs to know if a particular patient has Crohns disease, for example).
My point is, PII CAN be protected reasonably well. It takes executive will to do so, and training, and monitoring.
I worked in a hospital for a while. They had good training on how to avoid misusing PII. It starts with "don't look up your ex or your senator" and goes into ways to keep patient data safe.
When there IS a leak HIPAA-covered operations are obliged to disclose it. See here for the catalog of recent disclosures.
Doing privacy right is systemically possible. But it's a systemwide task, not just a one-off training or audit.
(Now, we can talk about whether HIPAA's main point--preventing insurers from abusing patient data--is working or not. Your doc makes you sign a permission slip letting insurers see your information, so you waive that protection in return for reimbursement. But that's a different issue.)
> PII CAN be protected reasonably well. It takes executive will to do so
These is where the EU's new data protection law (GDPR) could help. It has large fines, and the ability for NGOs to sue you on behalf of users. When the alternative is a big fine, it's easier to find the will.
It's possible to do that fairly well, and still leave need-to-know exceptions. (The subsititute nurse on the intensive care unit needs to know if a particular patient has Crohns disease, for example).
My point is, PII CAN be protected reasonably well. It takes executive will to do so, and training, and monitoring.
I worked in a hospital for a while. They had good training on how to avoid misusing PII. It starts with "don't look up your ex or your senator" and goes into ways to keep patient data safe.
When there IS a leak HIPAA-covered operations are obliged to disclose it. See here for the catalog of recent disclosures.
Doing privacy right is systemically possible. But it's a systemwide task, not just a one-off training or audit.(Now, we can talk about whether HIPAA's main point--preventing insurers from abusing patient data--is working or not. Your doc makes you sign a permission slip letting insurers see your information, so you waive that protection in return for reimbursement. But that's a different issue.)