Talk:Health Insurance Portability and Accountability Act/Archives/2014

Major DELETION and REWRITE of "Notable Violations"

Before my edit, this section was arbitrary and capricious in singling out one incident involving Shasta Regional Medical Center (SRMC) that was reported in the California media, which was *not* in fact a verified example of a HIPAA violation as written in the deleted text at the time it was written (more on this below). Instead I replaced it with objectively more significant reports -- plural -- of violations reported in impartial government sources. Wikipedia is not an advocacy forum, it is a reference work, and the singling out of SRMC executives or the parent corporation Prime Healthcare Services here violates Wikipedia's NPOV in terms of undue weight, balance, impartial tone, and bias in sources. First, the deleted text did not describe actual violations -- plural -- it only contained one case of a single alleged violation. Second, I do not like to get lawyerly and use terms like "alleged" but it is appropriate here because the text cited statements made by people quoted in 2012 newspaper articles but they are not the ones who make a determination of a HIPAA violation, that lies with the United States Department of Health and Human Services Office for Civil Rights (OCR). The SRMC incident took place in 2010 (not 2012 as referenced in the deleted text) and the text appears to have been written in 2012 based on the sources, and edited as late as Sept 2013 based on the page history. However, there was nothing verifiable that a HIPAA violation took place in the text as it was written and with the sources it cited. Nevertheless, in June of 2013, reports surfaced that a separate action by the California State Dept of Public Health resulted in fines to Prime Healthcare of $98,000, and that Prime Healthcare announced a settlement with DHHS OCR of $275,000. So one could say there *was* a HIPAA violation but not because of the deleted text's insinuations, but through public sources that were never referenced in the deleted text. Third, the problems with balance and weight of the SRMC incident as an illustration for HIPAA violations is more important that the above issues of veracity, tone, and timeliness of the deleted text. That is why it is not an appropriate action to update the references in the deleted text, rather better and more appropriate examples of HIPAA violations -- plural -- should occur if there is to be this kind of section in the article at all. For example, according to HHS, between April 2003 and January 2013 there were 91,000 complaints of HIPAA violations reported in which 22,000 led to enforcement actions of varying kinds (from warnings to fine) and 521 led to referrals to the US Dept of Justice (criminal actions)(http://www.hhs.gov/ocr/privacy/hipaa/enforcement/highlights/index.html). Note that in 2010 alone, when the SRMC case took place, there were 8,700 reports of violations (http://www.hhs.gov/ocr/privacy/hipaa/enforcement/data/complaintsyear.html). In this context it is hard to argue that the lone SRMC case was notable or unique in any way that justifies its inclusion in this Wikipedia article, when by comparison, there are many instances of clearly more significant examples. Neither the numbers nor fines in the SRMC are significant. For instance, the largest loss of control over patient information was committed by Tricare Management Activity of Virgina in 2011 that affected 4.9 million people, while the second largest breach of confidential records arising from the theft of a desktop computer occurred with Advocate Health and Hospitals Corp of Illinois in 2013 that affected 4.0 million people (http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html). The largest civil fine imposed by HHS OCR was $4.3 million against Cignet of Maryland in 2011 (http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cignetpenaltynotice.pdf). THOSE are significant and notable examples of HIPAA violations. THOSE belong in the reference article. That is why I used them to replace the relatively parochial and relatively minor SRMC incident whose description and inclusion violates Wikipedia's NPOV rules in multiple ways. I added a table for the penalties imposed by HHS for violations of HIPAA, both civil and criminal. Finally, I renamed the section to the more broad heading of "Violations of HIPAA."Lapabc (talk) 21:47, 4 March 2014 (UTC)