Monday, June 5, 2006
For all the hand-wringing about HIPAA, much of it reportedly fueled by the possibility of criminal penalties and draconian civil fines, today's Washington Post reports that punishments have been few and far between:
In the three years since Americans gained federal protection for their private medical information, the Bush administration has received thousands of complaints alleging violations but has not imposed a single civil fine and has prosecuted just two criminal cases.
Of the 19,420 grievances lodged so far, the most common allegations have been that personal medical details were wrongly revealed, information was poorly protected, more details were disclosed than necessary, proper authorization was not obtained or patients were frustrated getting their own records.
The government has "closed" more than 73 percent of the cases -- more than 14,000 -- either ruling that there was no violation, or allowing health plans, hospitals, doctors' offices or other entities simply to promise to fix whatever they had done wrong, escaping any penalty.
As the article says, this approach to enforcement by HHS's Office for Civil Rights pleases the health care industry but has privacy hawks up in arms. [tm]