Trustworthy organizations do what they should even in the absence of legal enforcement
Joseph Conn of Modern Healthcare called attention in a blog post yesterday to the almost complete absence of civil penalties imposed against violators of the HIPAA Security and Privacy rules, pointing out that without some credible evidence of enforcement for legal regulations, regulations such as HIPAA are an empty threat. In his post, he points to the frequently repeated public emphasis on privacy and security and their essential role in engendering trust among patients and other health care stakeholders as incongruous with the “friendly persuasion” HIPAA enforcement approach employed by the HHS Office of Civil Rights during both the current and previous administrations, basically concluding that the only way to achieve better compliance with the law is to strengthen enforcement. The statistical highlights provided by OCR itself regarding HIPAA compliants, investigations, and negotiated settlements and other resolutions certainly seem to suggest that non-compliance is a widespread issue, but in suggesting that legal requirements will be ineffective without more substantial enforcement, Conn suggests that at least a significant subset of HIPAA-covered entities and business associates consider the lack of enforcement an invitation to violate the law. Whether or not you agree with this specific argument, if its reasoning is correct, then the recommended corrective action (stronger and more proactive enforcement measures) on health care privacy and security cannot produce the trust that the government appears to be seeking. In an environment where individuals or organizations can only be expected to behave as they should due to the presence of legal or other sanctions, the participants cannot be considered to be trustworthy, and therefore should not expect to be trusted by those they interact with, whether individual patients, peer organizations, or government regulators. It seems entirely likely that relationships between different health care stakeholders — perhaps especially between health care entities and their regulators — are marked by distrust, rather than trust, and current government-led efforts to put effective governance, oversight, and enforcement mechanisms produced under the rubric of “trust frameworks” are more characteristic of distrusting relationships than they are of trust.