« The Problem of the 28th Amendment | Main | Grutter redo? »
June 05, 2006
HIPAA's Lax Enforcement
Today's Washington Post has an interesting story about how the privacy regulations under the Health Insurance Portability and Accountability Act (HIPAA) are not being enforced:
In the three years since Americans gained federal protection for their private medical information, the Bush administration has received thousands of complaints alleging violations but has not imposed a single civil fine and has prosecuted just two criminal cases.Of the 19,420 grievances lodged so far, the most common allegations have been that personal medical details were wrongly revealed, information was poorly protected, more details were disclosed than necessary, proper authorization was not obtained or patients were frustrated getting their own records.
The government has "closed" more than 73 percent of the cases -- more than 14,000 -- either ruling that there was no violation, or allowing health plans, hospitals, doctors' offices or other entities simply to promise to fix whatever they had done wrong, escaping any penalty.
"Our first approach to dealing with any complaint is to work for voluntary compliance. So far it's worked out pretty well," said Winston Wilkinson, who heads the Department of Health and Human Services' Office of Civil Rights, which is in charge of enforcing the law.
While praised by hospitals, insurance plans and doctors, the approach has drawn strong criticism from privacy advocates and some health industry analysts. They say the administration's decision not to enforce the law more aggressively has not safeguarded sensitive medical records and has made providers and insurers complacent about complying.
The lax enforcement of HIPAA could be addressed if HIPAA were to have a private right of action. Currently, HIPAA doesn't provide a way for individuals to sue for privacy violations. HIPAA would be more effective with a private right of action, which would prevent enforcement from being stymied whenever an agency isn't interested in enforcing a law. The Bush Administration has little love for the HIPAA privacy regulations, which it tried to kill when it took over power from the Clinton Administration. Instead of killing HIPAA, the Bush Administration rewrote parts of the regulations, weakening them significantly. And now, the strategy seems to be to let the HIPAA regulations sink into irrelevance.
Posted by Daniel J. Solove at June 5, 2006 12:12 PM
Trackback Pings
TrackBack URL for this entry:
http://www.concurringopinions.com/movabletype/mt-tb.cgi/924.
Comments
Or maybe patient privacy complaints have more to do with service or outcome gripes than with real privacy breaches.
Or maybe the HHS/Bushies understand that our medical costs are high enough without the cost of dealing with private-right nuisance suits, especially when compared to the aggregate benefits of such a right. Remember, all the "savings" from HIPAA are from transaction code sets, not privacy regs.
Posted by: Indian Chief at June 5, 2006 03:16 PM
It's true that many if not most complaints are related to service or outcome. And it's almost certainly true that a private right of action would increasee health care costs.
But if genuine and serious privacy violations are so rare, then enforcing the law in these cases should be relatively cost-effective and efficient. And there would be not-insignificant deterrent effects. Instead, we appear to have an enforcement scheme tilted entirely toward industry, with no incentive to comply. Where's the protection against your health plan leaking information to your employer? Or your hospital letting loose your identifying information via the kind of slip-up we saw with the VA? If we're accepting promises to "do better" as the only remedy, then the HIPAA Privacy Rule might as well not exist.
Posted by: mrshl at June 5, 2006 08:43 PM
