Feds go easy on medical privacy violations

WASHINGTON — In the three years since Americans' gained federal protection for their private medical information, the government has received thousands of complaints alleging violations yet has not imposed a single civil fine and has prosecuted just two criminal cases.

Of the 19,420 grievances lodged so far, the most common allegations have been that personal medical details were wrongly revealed, information was poorly protected, more details were disclosed than necessary, proper authorization was not obtained or patients were frustrated getting their own records.

The government has "closed" more than 73 percent of the cases — more than 14,000 — either ruling there was no violation or allowing health plans, hospitals, doctors' office or other entities simply to promise to fix whatever they had done wrong, escaping any penalty.

"Our first approach to dealing with any complaint is to work for voluntary compliance. So far it's worked out pretty well," said Winston Wilkinson, who heads the Department of Health and Human Services (HHS) Office of Civil Rights, which is in charge of enforcing the law.

While praised by hospitals, insurance plans and doctors, the approach has drawn strong criticism from privacy advocates and some health-industry analysts.

They say the government's decision not to enforce the law more aggressively has failed to safeguard sensitive medical records and made providers and insurers complacent about compliance.

"The law was put in place to give people some confidence that when they talk to their doctor or file a claim with their insurance company, that information isn't going to be used against them," said Janlori Goldman, a health-care privacy expert at Columbia University.

"They have done almost nothing to enforce the law or make sure people are taking it seriously. I think we're dangerously close to having a law that is essentially meaningless."

Intensified debate

The debate has intensified amid a government push to computerize medical records to improve the efficiency and quality of health care.

Privacy advocates say large centralized electronic databases will be especially vulnerable to invasions, making it even more crucial that existing safeguards be enforced.

The highly touted Health Insurance Portability and Accountability Act — commonly known as HIPAA — guaranteed for the first time beginning in 2003 that intimate medical information was protected by a uniform national standard instead of a hodgepodge of state laws.

The law assigned enforcement to HHS, including the authority to impose fines of $100 for each civil violation, up to a maximum of $25,000.

HHS also can refer possible criminal violations to the Justice Department, which could seek penalties of up to $250,000 in fines and 10 years in jail.

Wilkinson would not discuss specific complaints but said his office has "been able to work out the problems ... by going in and doing technical assistance and education to resolve the situation. We try to exhaust that before making a finding of a technical violation and moving to the enforcement stage. We've been able to do that."

About 5,000 cases remain open, and some still could result in fines, Wilkinson said. "There might be a need to use a penalty. We don't know that at this stage."

His office has referred at least 309 possible criminal violations to the Justice Department.

Officials there would not comment on the status of those cases other than to say they would have been sent to U.S. attorney or FBI offices around the country for investigation.

Seattle, Texas cases

Two cases resulted in criminal charges: A Seattle man was sentenced to 16 months in prison in 2004 for stealing credit-card information from a cancer patient, and a Texas woman was convicted in March of selling an FBI agent's medical records.

Representatives of hospitals, insurance companies, health plans and doctors praised the government's emphasis on voluntary compliance, saying it is the right tack, especially because the rules are complicated and relatively new.

"It has been an opportunity for hospitals to understand better what their requirements are and what they need to do to come into compliance," said Lawrence Hughes of the American Hospital Association.

"We're more used to the government coming down with a heavy hand where it's unnecessary," said Larry Fields, president of the American Academy of Family Physicians. "I applaud HHS for taking this route."

But privacy advocates say the lack of civil fines has sent a clear message that health organizations have little to fear if they violate HIPAA.

"It's not being enforced very vigorously," said William Braithwaite of the eHealth Initiative and Foundation, an independent, nonprofit research and advocacy organization based in Washington, D.C. "No one is afraid of being fined or getting bad publicity ... as long as they respond, they essentially get amnesty."

The approach has made health-care organizations complacent about protecting records, several health-care consultants said.

A recent survey by the American Health Information Management Association found that hospitals and other providers still are not fully complying and that the level of compliance is falling.

"They are saying, 'HHS really isn't doing anything, so why should I worry?' " said Chris Apgar of Apgar & Associates in Portland, a health-care industry consultant.

Goldman and others questioned why the government is not conducting more independent audits of compliance in addition to investigating complaints.

"It's like when you're driving a car," said Gary Christoph of Teradata Government Systems of Dayton, Ohio, another consultant. "If you are speeding down the highway and no one is watching, you're much more likely to speed. The problem with voluntary compliance is, it doesn't seem to be motivating people to comply."

Wilkinson's office has conducted a "handful" of compliance reviews, an HHS spokesman said, and completed one — a case involving a radiology center that was dumping old patient files into an unsecured dumpster.

The center agreed to hire a company to dispose of old records, and no fine was levied, the spokesman said.

Wilkinson said the size of his staff limits their ability to do much more than respond to complaints.

Goldman said surveys show people avoid seeking treatment when they are sick, pay for care out of pocket or withhold important details from their doctors for fear that their medical information will be used against them.

"The law came about because there was real problem with people having their privacy violated — they lost jobs, they were embarrassed, they were stigmatized. People are afraid," said Goldman, who also heads the advocacy group Health Privacy Project. "That's still a huge problem."