More HIPAA Rules for Lawyers “The Beatings Will Continue Until Morale Improves!”

By: Martin Merritt, esq.
Past President, Texas Health Lawyers Association
Past Chair, DBA Health Law Section
martin@martinmerritt.com

“Please Tell Me you Didn’t. . . How to Keep Clients Out of the Jailhouse, Poorhouse and Lawyers Out of the Nuthouse” -Blog


As you can tell, I love talking about health law & litigation issues, and general wellbeing, if you have any health law questions or better yet, need to refer a case, just call or drop me an email and I will happily talk.


Cheeky Monkeys. It doesn’t take a genius to be a thief or even to hold what you’ve stolen for ransom. You can train a monkey to do it. Tourists at a temple in Bali, Indonesia are getting their valuables stolen and held for ransom— by long-tailed macaque monkeys who have learned to steal items from tourists, then negotiate a tribute in exchange for the valuable’s return.

You can watch it all on YouTube, as tourists walk by the temple and one of the monkeys grabs the tourist’s cell phone or sunglasses. The tourist must offer a treat to get the monkey to drop the merch. But, If a tourist offers too little, a banana instead of a Snickers, the tourist receives a growling rebuke. It’s all great fun and to be sure, the tourists do invite and cooperate in the criminality.

“With men we will get money, with money we will get men, said Caesar.” Which brings me to today’s topic, the US Dept. of Health and Human Services Office of Civil Rights (“OCR” or “HIAPPA Police”) have proposed new rules to blame management companies, lawyers and providers for not trying hard enough to stop cyber criminals from getting our private information.

First observation: as I have published before, the Office of Civil Rights doesn’t give one whip about your “civil rights. ” See “HIPAA and Medical Records Privacy, A Survival Guide for Texas Attorneys. 78 Tex. B. Journ. No 7., 540 July (2015). That’s just a “stalking horse” for the real intention, which is to try to protect government programs from financial thieves.

Second observation: There is also a line of thinking, dating back to Thomas Jefferson’s “Notes on the State of Virginia,” that federal agencies exist to expand power and tyranny, just like the old monarchs did. Give ’em a little power, they only use it to get more power:

“With money we will get men, with men we will get money, said Caesar.. .
It is better to keep the wolf out of the fold, than to trust to drawing his teeth and talons after he shall have entered.”

“The Beatings Will Continue Until Morale Improves.” Let’s see how government “beatings” have been working so far. Regardless of the regulating agency, HHS or FTC or Treasury banking regulations, anyone with personal information has to “double pinky swear” to try really, really hard to protect it.

​In 2024, healthcare data breaches affected 184,111,469 records, representing 53% of the U.S. population. With 703 large breaches reported to OCR. The largest breach occurred at Change Healthcare, affecting 100 million individuals through a ransomware attack that caused widespread disruption to healthcare services and medication access across the U.S. healthcare system. The year saw 13 breaches involving more than 1 million healthcare records each, with 11 caused by hacking incidents and 8 involving business associates of HIPAA-covered entities.

But, don’t worry (your data is already out there), so nothing we do will probably make any difference. (The “beatings” just make the OCR feel like they are doing something productive, like growing their own agency, when they don’t have a clue what to do.) While writing this, I received another Life Lock email, that 50 million college student records were stolen from something called “PowerSchool.”

This is but one of many alerts I have received that companies I have never heard of, have lost my private data. Previously, there were 855 million records leaked from mortgage giant, First American Financial, an Equifax data breach resulted in 147 million customer records stolen, Capital One had an event where where 100 million credit applications were stolen, and JP Morgan Chase, where 83 million accounts were stolen.

Final observation: I don’t think “trying harder” is working. This has gotten so ridiculous, I don’t’ think there is any point pretending that out data has any “privacy” left. That won’t stop the OCR from passing new rules to punish us until we “do better.”

The proposed changes include rules for both Covered Entities (like doctors and hospitals) and Business Associates (like lawyers and accountants) to do more training and report more on how much training they have been doing. This assumes the breaches are due to ignorance.

The word “sabotage” comes from the French word “sabot,” which is a shoe made of wood worn by peasants. Peasants working in factories, fearful they would lose jobs to technology, would deliberately use the shoes (sabots) to either kick machines or clog the gears, to prevent progress. See also, “Luddites.” Instead of a wooden shoe, today employees just need to click on an email from a Nigerian Prince.

I personally would like to see us use drones to drop electronic pulses on top of the bad guys heads, to fry their computers? (Might not work, but I feel better.)

Until then, the only way to protect ordinary people, is in on the back-end. Banks have gotten pretty smart about knowing when I didn’t buy Grub Hub in Amsterdam. I don’t want to know how they do it. . .(Just keep doing it!)