Info-Tech has a release out that says they analyzed the HIPAA law and found it useless. (The image is from the blog of David Hoffman.)

HIPAA stands for Health Insurance Portability and Accountability Act. It was signed by President Clinton in 1996, when he was trying to triangulate the new Republican majority in Congress with the idea of regulation, but managed by the private sector.

”HIPAA is a toothless tiger,” says Info-Tech analyst Ross Armstrong. “The first problem is that HIPAA is complaint driven, and complaint-driven enforcement doesn’t work. The second problem is that in the one HIPAA-related conviction that has occurred, only the individual was charged, not the organization itself."

“If HIPAA is to be truly protective and useful, healthcare entities and their executives must be held accountable in the same way that Sarbanes-Oxley holds CEOs and CFOs responsible.”

I'll go Armstrong one better. HIPAA is worse-than-useless.

HIPAA isn't entirely to blame for this, but it has driven the bulk of the medical profession into a very expensive case of Luddism. That's because HIPAA:

• Theoretically makes hospitals and insurance companies liable for mistakes; and
• Lets small practices out of this problem by refusing to computerize.

Mistakes in records and their release can happen. They do quite often. By accident. Not on purpose. But because there are automatic penalties (if someone complains) two things happen. The handling of all patient information becomes heavily bureaucratized, and patients are given legal gobbledygook aimed solely at keeping them from pursuing their rights if they arre violated.

It's the small practice exemption that really bites, however.

I'm a heart patient. I haven't had a heart attack (yet) but I have high blood pressure, high cholesterol, and low levels of "good" cholesterol. It's in my genes.

As a result I have to see my doctor regularly. I have to take various medicines that bring things into balance. And if I have a problem I have to literally threaten my doctor's staff to make him call me back, because my doctor (being a small practice) doesn't do HIPAA and doesn't deal with the Internet.

You see, the whole law is about "if you do this then you have to do that and thus and so" so the answer of the medical profession is simple -- don't do that.

• Don't have a Web site with links to patient information. You might be held liable for what's behind the links.
  
• Don't have an e-mail address where patients can contact you. You might be held liable for what's in your e-mail.
  
• Don't even give patients the chance to interact with your staff using the Internet, to check on appointments or make appointments, because you might be liable for their mistakes.
  

None of the doctors I or my family sees has so much as an e-mail address we can use to contact them. Even my dentist, who is a very active Web user, keeps all that separate from his work with patients. I don't know his e-mail address.

What's the answer? You don't want to give anyone a license for malpractice, but we have to create incentives for all doctors to be available online, and for them to link their patients to resources that will prevent expensive phone calls, call backs, and patient visits.

Web resources aren't cheap anymore. They're practically free. Doctors who don't take advantage of these resources are wasting money. Your money.