HHS Relying Upon Voluntary Compliance To Enforce HIPAA

HHS has received more than 19,000 grievances regarding alleged violations of medical privacy provisions in the Health Insurance Portability and Accountability Act, but the agency has levied no civil fines and prosecuted just two criminal cases, the Washington Post reports.

Since its implementation in 2003, HIPAA has guaranteed a uniform federal law for ensuring the privacy of medical records. HHS has the authority to impose fines for civil violations ranging from $100 to $25,000, and officials can refer possible criminal violations to the Department of Justice.

The government has closed more than 14,000 of the 19,420 filed grievances, either ruling that a violation did not occur or allowing health care providers and insurers to correct violations voluntarily without issuing a penalty. At least 309 cases have been referred to DOJ.

The most common allegations involve improper disclosure of medical records, inadequate security for records, failure to obtain authorization to disclose records or difficulty for patients seeking to obtain their own records. An HHS spokesperson said the agency has conducted a "handful" of compliance reviews.

Reaction

Winston Wilkinson, head of the HHS Office of Civil Rights, which is responsible for enforcing the law, said, "Our first approach to dealing with any complaint is to work for voluntary compliance. So far it's working out pretty well." Wilkinson added, "We've had challenges with our resources investigating complaints. We've been successful with voluntary compliance, so there has not been a need to go out and look." Wilkinson said about 5,000 cases remain open, which could result in fines.

Larry Fields, president of the American Academy of Family Physicians, said, "We're more used to the government coming down with a heavy hand when it's unnecessary. I applaud HHS for taking this route."

However, Janlori Goldman, a health care privacy expert at Columbia University and director of the Health Privacy Project, said, "The law was put in place to give people some confidence that when they talk to their doctor or file a claim with their insurance company, that information isn't going to be used against them." Goldman added that HHS has "done almost nothing to enforce the law or make sure people are taking it seriously. I think we're dangerously close to having a law that is essentially meaningless."

Chris Apgar, president of Oregon health care industry consultant Apgar & Associates, said providers "are saying, 'HHS really isn't doing anything, so why should I worry?'" Privacy advocates say the need to enforce HIPAA will increase if the federal government is successful in its effort to implement a system of electronic health records (Stein, Washington Post, 6/5).

This is part of the California Healthline Daily Edition, a summary of health policy coverage from major news organizations. Sign up for an email subscription.