Despite 34,000 complaints of violations in the last five years, the federal act has resulted in only a few prosecutions, and no civil fines have been levied.
WASHINGTON — When Congress passed a federal medical privacy law more than a decade ago, it was hailed as a new level of protection for patients nationwide. But even though the government has received about 34,000 complaints of privacy violations since it officially began enforcing the law five years ago, only a handful of defendants have been criminally prosecuted.
The half a dozen or so cases mainly involved clerical workers who pilfered patient information, using it to open credit card accounts or selling it to crooks who tried to bilk Medicare and the Internal Revenue Service.
Moreover, although the federal Health and Human Services Department has the authority to levy civil fines on medical service providers for privacy violations, it has yet to do so.
The recent revelation of snooping by UCLA Medical Center employees into the files of Britney Spears, Farrah Fawcett, California first lady Maria Shriver and dozens of other patients, however, may force a second look at the federal law, widely known as HIPAA, the Health Insurance Portability and Accountability Act of 1996.
Critics say the government’s approach — which focuses on getting providers to correct violations — may be too lenient, particularly at a time when medical records are increasingly being shifted from file folders to computers. In addition, a Justice Department legal opinion has stated that the law applies primarily to organizations — hospitals, health insurance plans and doctors’ offices — and only secondarily to individuals such as the low-level clerks most often implicated in information theft.
“If you are punishing the [organization] but not the person who actually did the dirty deed, then we are missing the boat,” said Doreen Z. McQuarrie, a Houston lawyer who specializes in healthcare issues and has studied the federal law.
The law was supposed to have had its greatest impact behind the scenes, ushering in a new era of sensitivity to patient privacy in the healthcare industry. But skeptics say that has not been the case.
“What the rules were supposed to do was regulate one of the most common conversations we have: ‘How are you?’ ” said Dennis Melamed, editor of the Health Information Privacy/Security Alert, which tracks the law and its enforcement. “They did it with an incomplete set of instructions, and when you are talking about an industry as huge as healthcare, that gets to be pretty difficult.”
Some privacy advocates say the law should be changed to give patients and their families explicit authority to specify who can — and cannot — see their medical records, although others in the industry argue that such stipulations would be very difficult to enforce.
Federal officials say they believe that implementation of the law strikes a balance between education and enforcement. Privacy violations are mainly investigated by the Health and Human Services Office for Civil Rights, and the office is required to try to resolve the problem before imposing fines or penalties.