HIPAA has strict rules with severe penalties, but enforcement is at best spotty. So honest hospitals and doctors offices bend over backwards to comply with the rules at great expense, but bad actors are rarely punished. It's the worst of both worlds. I'm pretty sure that is why the punishments are so harsh, because they need to put the fear of god into practitioners to make them take it seriously since there are so few inspectors.
It's the difference in medical establishment skill level between your doctor and you. You are always at a disadvantage. I've long thought that a disinterested third party needs to be involved. Someone with real oversight taking a position adversarial to the hospital and strictly to create the best possible outcome for the patient.
This is true, however getting it funded is the difficult task.
For it to be effective, the money can't come from the provider, meaning it's either from the payer or the patient. The payer doesn't really care, costs are contained as far as they are concerned, with the various Quality Initiatives. That leaves the patient to sign up for a subscription model.
I explored that as a business 12 years ago, and sadly there is still a need. The worst part is that most clinicians actually want to do the right thing but it's the admins in their organization who set up processes that result in terrible outcomes.
