When the federal Health Insurance Portability and Accountability Act (HIPAA) took effect three years ago many health care providers worried about the stiff penalties for failure to protect patient’s privacy. Although some patient advocacy groups fretted that the law did not go far enough, most experts predicted that the law’s criminal and civil sanctions would make the medical community sit up and take notice.

HIPAA authorized the federal government to impose civil penalties of $100 for each violation of patients’ privacy rights (up to a total of $25,000). In addition, more egregious breaches can be punished criminally, with fines up to $250,000 and jail terms as long as ten years.

Three years later, the early results have been accumulated and reported. The actual sanctions imposed by the Department of Health and Human Services so far: two criminal prosecutions, and not a single civil fine. One Seattle man was sentenced to 16 months in prison for stealing credit card information from a cancer patient, and a Texas woman was convicted when she was caught selling an FBI agent’s medical records.

The lack of sanctions is not for lack of reported violations. So far the Department has logged 19,420 complaints filed by patients. Those grievances include allegations that medical records were poorly protected, that too much information was released in individual cases, that proper authorization was not obtained prior to record releases, and that some providers made it too difficult for patients to see their own medical records. Over 73% of the complaints (over 14,000 of those filed so far) have been closed by the agency’s Office of Civil Rights, which was charged with enforcing the new law.

The government’s approach to HIPAA violations so far has been to start by counseling the offending health care providers, and getting them to change their practices to comply with the law’s requirements. That approach has resulted in a low prosecution rate, but arguably more willingness to acknowledge problems and work on making the systemic changes needed to protect medical records in the future.

One irony apparent in the result: while health care providers were often hysterical about the new HIPAA rules three years ago, they may have become complacent about patient privacy considerations in the ensuing years, since no negative effects seem to flow from failure to safeguard privacy. The problem is likely to worsen as the industry moves toward the shared computer databases being pushed by the government in an effort to improve efficiency and quality of care. Without stronger enforcement HIPAA may not provide adequate protection in the future, argue privacy advocates.

Would you like to subscribe to Elder Law Issues? Simply provide your e-mail address and name below, and click "Subscribe". At the same time, you may choose to also subscribe to The Voice, the newsletter of the Special Needs Alliance.

Privacy note: We do not ever use your e-mail address or name for any purpose other than to send out our subscription-based newsletter. You can rest assured that we will not sell, trade or share this information with any other person or entity. We have no ancillary or associated companies or entities to which we could provide your e-mail address, either.

© 1993-2009 Fleming & Curti, P.L.C.
330 N. Granada Avenue, Tucson, Arizona 85701
520-622-0400 /  FAX: 520-203-0240