Info/Law

The Washington Post reported this morning that the provisions of the HIPAA that safeguard privacy of medical records have been enforced very lightly by the Department of Health and Human Services. From the story:

In the three years since Americans gained federal protection for their private medical information, the Bush administration has received thousands of complaints alleging violations but has not imposed a single civil fine and has prosecuted just two criminal cases.

Of the 19,420 grievances lodged so far, the most common allegations have been that personal medical details were wrongly revealed, information was poorly protected, more details were disclosed than necessary, proper authorization was not obtained or patients were frustrated getting their own records.

The government has “closed” more than 73 percent of the cases — more than 14,000 — either ruling that there was no violation, or allowing health plans, hospitals, doctors’ offices or other entities simply to promise to fix whatever they had done wrong, escaping any penalty.

This is a problem for lots of privacy regulation. Government enforcement agencies tend to prefer “big fish” and egregious infractions, and data privacy breaches often involve just the opposite: multiple smaller entities (here, many hospitals and doctors’ offices) whose individual violations, while very important to those they injure, do not add up to huge aggregate impact.  And the basic civil fine is a measly $100 per violation.  In that situation, limited resources for enforcement are somewhat predictable.

Filed under: Health Law, Privacy