HIPAA and other mega-regulations like them have the same problems. And they do cause people to just give up rather than deal with the risk. I've listened in on various conversations around health products over the years. HIPAA is a common reason given for not getting into the healthcare space and focusing elsewhere. A lot of smart people and smart products that could have been focused on health just never turn up at all, because of the vagueness, poor drafting and expansive reach of such things.
But this specific thread is about EU social network privacy fines, not US healthcare privacy fines.
The US courts aren't quite the same. They're a lot more independent. The ECJ has a history of surprising things, like hearing cases where one of the appellants wasn't aware he was involved in a court case at all and both sides turned out to be the same law firm, or simply voiding parts of the treaties they found to be inconvenient to the EU, or inventing new 'rights' on the fly (legislating from the bench). Like the right to be forgotten, which was invented by the judges in response to a lawsuit and required massive responses similar to the creation of entirely new regulations.
The Supreme Court is generally much better about following the Constitution, not inventing new laws on the fly and ensuring the cases before them are actually legitimate.
> I've listened in on various conversations around health products over the years. HIPAA is a common reason given for not getting into the healthcare space and focusing elsewhere. A lot of smart people and smart products that could have been focused on health just never turn up at all, because of the vagueness, poor drafting and expansive reach of such things.
As someone who worked extensively on HIPAA covered data and systems, there are only three options here.
Option 1) Mandate no data protection. This is how you end up with hidden security dumpster fires like Equifax, when public companies are involved (cost of security vs profit).
Option 2) Strictly mandate how companies must behave to be compliant. Example: DoD (I believe?). Legal requirements always lag technical best practices.
Option 3) Generally mandate what compliance results in. Example: HIPAA. Results in lack of clarity and legal challenges.
Of these options, I'll take (3) every time.
If a startup isn't willing to make a best effort to comply (which is specifically worded into HIPAA and substantially reduces penalties), then I'd rather they not be able to touch my health data anyway...
HIPAA (and PCI compliance) has done little to prevent 1) in practice, especially when balanced against the huge costs it has on industry and the 'hidden' cost of crippled innovation.
You can't measure the true cost of hundreds of thousands of projects and startups that were never realized because HIPAA scared them away...and this is stuff that would have saved billions in healthcare costs, improved the public's health, and supported research/processes that could save lives.
Saying it's only a dynamic between "profit vs security" completely downplays the utility of technical progress in health care. This isn't just about quarterly profits of large mega-corporations.
As someone who started off working in the health space I can assure you I personally gave up on multiple potential projects because of HIPAA. And know of countless others who have to in spaces that seem "crazy" no one has yet built software for.
And I say this as a complete paranoid hawk on information security and privacy rights...
I hear you that it makes things more difficult, but I think it's hard to overstate how terrible & uninterested conservative revenue stream businesses (e.g. insurance, utilities) are at keeping up with IT trends.
Based on what I saw in a couple of the top 5 largest insurance companies, these are IT departments that would be storing personal data in databases open to every employee of the organization, were there not a law discouraging them doing so.
Why?
Because IT isn't their business. That perspective is changing (gradually), but the resistance to anything aside from business as usual is staggering.
Sure, but the other side of the equation is an unknowable number of thousands of lost lives and billions of dollars, because of medical advances that were never made.
There are other important values than privacy in the world!
As a consumer, my view is: if a potential idea is abandoned out of fear of HIPAA then HIPPA is working and I am thankful that that idea went nowhere. Soon, s/HIPPA/GDPR
This. I am not a hipaa expert or anything, but if a company is not making an effort to protect the data, they dont deserve to make money off of products touching that data.
> HIPAA is a common reason given for not getting into the healthcare space and focusing elsewhere. A lot of smart people and smart products that could have been focused on health just never turn up at all, because of the vagueness, poor drafting and expansive reach of such things.
Good? This sounds like the law is doing what it's supposed to be doing - it's not enough to simply be smart, you have to also be sufficiently willing to pay attention to detail such that you don't accidentally design your systems in a way that leaks personal data. If you find this burdensome, maybe the world is better off if someone else develops it instead. (There are enough newly launched healthcare startups - Clover Health, Oscar, and One Medical all come to mind without even thinking - that I don't think that it's completely stifling innovation, which would be a different story.)
As a person who is much better at being smart than at being reliable and careful, I am totally okay being regulated out of this space - I don't trust myself not to just forget about something. I worry consciously about edge cases in my code because I know I won't worry about them subconsciously. If I want to go into this space, I imagine that I can just hire someone who's good at the regulatory part and willing to focus on getting that stuff right.
I don't understand this idea that smart people should be entitled to develop and market products in whatever way they want, simply because they're smart. I'm sure the Therac-25 programmers were very smart.
I've worked in the healthcare space. HIPAA doesn't scare enough people/companies away. Not by a long shot.
Sensitive personal medical info was routinely sent, by major companies, over insecure FTP or even plaintext email, on a regular basis.
Anyone who has ever had medical benefits at any point in their lives most likely has their benefit information, along with socials and more, sitting unencrypted in databases of a plethora of small companies/medical/insurance providers whose only concern for security is a mandatory HIPAA CYA compliance lecture for their every couple of years. The rest of the time they go about sending socials and pmi through plain text email or just leave shit on their desks for anyone to pick up.
The firms that HIPAA scares away aren't necessarily going to be the ones that have the most dubious security practices. They're going to be the ones that have a choice between business models that involve healthcare and ones that don't, and the ones that don't think they'd make enough money to justify the exposure.
Legislating from the bench is not a bad thing, to the extent it doesn't contradict a fully valid statute. Indeed, most law in the US is judicially created, and always has been, dating back to the English common law system from which we inherited ours.
American courts continue to create common law today. This happens less at the federal level only because the scope of federal common law is narrower.
I too have concerns over the breadth of the EU right to be forgotten, but not over the concept that a court could combine premises with a process of reasoning to arrive at such a conclusion.
The Supreme Court's focus on ensuring that the cases before it are actually legitimate is primarily for three reasons: keeping their workload manageable, deferring controversial decisions they don't actually need to make, and complying with the Case or Controversy Clause in the federal Constitution.
Notably, the Case or Controversy Clause does not bind the state courts. Whether they are willing to issue advisory opinions or perform other duties is a matter of state law.
If GDPR analogously has a chilling effect, reducing the proliferation of "social" products, I'd consider that a positive outcome. I don't really buy that any of these are "making the world a better place" as Zuck loves to say, though you might have a better case with the health products.
1) Despite the GDPR being a regulation, the national courts will decide first and oly if appealed enough times, the ECJ will decide as highest court
2) The EU judiciary is base don the civil law system. In the US or UK or other common law countries, you have much more "legislating from the bench". Inf act, most US laws are created by the judiciary.
But this specific thread is about EU social network privacy fines, not US healthcare privacy fines.
The US courts aren't quite the same. They're a lot more independent. The ECJ has a history of surprising things, like hearing cases where one of the appellants wasn't aware he was involved in a court case at all and both sides turned out to be the same law firm, or simply voiding parts of the treaties they found to be inconvenient to the EU, or inventing new 'rights' on the fly (legislating from the bench). Like the right to be forgotten, which was invented by the judges in response to a lawsuit and required massive responses similar to the creation of entirely new regulations.
The Supreme Court is generally much better about following the Constitution, not inventing new laws on the fly and ensuring the cases before them are actually legitimate.