From late 1990’s to +/- 2012 one of the core thesis for my investments was outsourcing. Some part of that was pricing ‘risk’ and building the mechanisms so that clients could transfer some part of that to a 3rd party, mine
I’ve moved on since then and operating on a new thesis. but the old one still exists on my back burner.
Lets look at a problem but not its solution. HIPPA.
My general practitioner has a phone app that allows him to send texts. It is not cheap and it does nothing extraordinary that a phone cannot innately do, except be HIPPA compliant. It is his, and his staffs, and perhaps all the people on the other side of the app, a time sucker and adds little (or no?) value. But it is law.
Commercial off the shelf technology, is good enough, it’s cheap and effective. Specialized technology written to constantly evolving regulation is nightmarishly expensive, and favors cronyism and monopoly.
And so here we are, prices will continue to diverge as ever more of the internet ends up in the behemoth interconnected mess. the interplay of new technology and regulation.
HIPPA is in that thicket of regulations that has as its vague purpose “security” to protect patent privacy. Those few companies who become specialists at meeting regulations become advocates for the regulations, which puts them in fine position with the army of bureaucrats who promulgate and enforce regulations.
Finding vendors who meet 1 hurdle is hard, finding ones that meet 30 is nigh unto impossible unless the vendor is engineering the firm to market solely to this niche and charging monopoly rates as their reward.
In everyday life, if you buy a tool and that tool is useful for anything other than the immediate purpose for which you bought it, that is a bonus.
In HIPPA, as with cyber security, any behaviour outside the minimum absolutely required for the intended application is a security risk, because history shows multiple examples of such behaviour being exploited to cause the system to do things that it was not supposed to do. A secure system will deliberately be entirely inflexible, even if attaining that inflexibility while maintaining its intended function requires that a great deal of time be spent precisely determining the intended function and deliberately removing everything outside that intended function.
Security is a cost center. It is an externality, its costs not priced in and the spillover effects are large.
HIPPA, and its related quagmire Cybersecurity, is and will always be, mostly a services sector and is therefore subject to cost disease.
Security is not the goal. A well established audit trail is the goal. Being secure is not enough, you have to be able to demonstrate that everyone using the app is secure. The app my doctor uses has, as its only value, being a risk repository.
Medical consumers become a captive market facing greater monopoly as fewer firms can navigate the thicket of rules to even try to make money.
Government tag teams with industry and there is a tendency for people wary of legislative ‘excesses of Congress’ to lay a lot at their feet that is not really at their feet.
When I speak of compliance I am talking not just about federal government regulations, but also about those from the insurance companies and other actors.
Question: Does all that regulation have any real impact on my privacy
Answer: Given the reality of corporate and government espionage on our data lives…
…I’m paying the HIPPA bill for privacy that…
…I don’t actually have…