[Med-privacy] enforcement

[Peter Marshall]

Medical Privacy Law Nets No Fines

Lax Enforcement Puts Patients' Files At Risk, Critics Say

By Rob Stein

Washington Post Staff Writer

Monday, June 5, 2006; A01

In the three years since Americans gained federal protection for their=20=

private medical information, the Bush administration has received=20
thousands of complaints alleging violations but has not imposed a=20
single civil fine and has prosecuted just two criminal cases.

Of the 19,420 grievances lodged so far, the most common allegations=20
have been that personal medical details were wrongly revealed,=20
information was poorly protected, more details were disclosed than=20
necessary, proper authorization was not obtained or patients were=20
frustrated getting their own records.

The government has "closed" more than 73 percent of the cases -- more=20
than 14,000 -- either ruling that there was no violation, or allowing=20
health plans, hospitals, doctors' offices or other entities simply to=20
promise to fix whatever they had done wrong, escaping any penalty.

"Our first approach to dealing with any complaint is to work for=20
voluntary compliance. So far it's worked out pretty well," said Winston=20=

Wilkinson, who heads the Department of Health and Human Services'=20
Office of Civil Rights, which is in charge of enforcing the law.

While praised by hospitals, insurance plans and doctors, the approach=20
has drawn strong criticism from privacy advocates and some health=20
industry analysts. They say the administration's decision not to=20
enforce the law more aggressively has not safeguarded sensitive medical=20=

records and has made providers and insurers complacent about complying.

"The law was put in place to give people some confidence that when they=20=

talk to their doctor or file a claim with their insurance company, that=20=

information isn't going to be used against them," said Janlori Goldman,=20=

a health-care privacy expert at Columbia University. "They have done=20
almost nothing to enforce the law or make sure people are taking it=20
seriously. I think we're dangerously close to having a law that is=20
essentially meaningless."

The debate has intensified amid a government push to computerize=20
medical records to improve the efficiency and quality of health care.=20
Privacy advocates say large, centralized electronic databases will be=20
especially vulnerable to invasions, making it even more crucial that=20
existing safeguards be enforced.

The highly touted Health Insurance Portability and Accountability Act=20
-- known as HIPAA -- guaranteed for the first time beginning in 2003=20
that medical information be protected by a uniform national standard=20
instead of a hodgepodge of state laws.

The law gave the job of enforcement to HHS, including the authority to=20=

impose fines of $100 for each civil violation, up to a maximum of=20
$25,000. HHS can also refer possible criminal violations to the Justice=20=

Department, which could seek penalties of up to $250,000 in fines and=20
10 years in jail.

Wilkinson would not discuss any specific complaints but said his office=20=

has "been able to work out the problems . . . by going in and doing=20
technical assistance and education to resolve the situation. We try to=20=

exhaust that before making a finding of a technical violation and=20
moving to the enforcement stage. We've been able to do that."
About 5,000 cases remain open, and some could result in fines,=20
Wilkinson said. "There might be a need to use a penalty. We don't know=20=

that at this stage."

His office has referred at least 309 possible criminal violations to=20
the Justice Department. Officials there would not comment on the status=20=

of those cases other than to say they would have been sent to offices=20
of U.S. attorneys or the FBI for investigation. Two cases have resulted=20=

in criminal charges: A Seattle man was sentenced to 16 months in prison=20=

in 2004 for stealing credit card information from a cancer patient, and=20=

a Texas woman was convicted in March of selling an FBI agent's medical=20=

records.

Representatives of hospitals, insurance companies, health plans and=20
doctors praised the administration's emphasis on voluntary compliance,=20=

saying it is the right tack, especially because the rules are=20
complicated and relatively new.

"It has been an opportunity for hospitals to understand better what=20
their requirements are and what they need to do to come into=20
compliance," said Lawrence Hughes of the American Hospital Association.

"We're more used to the government coming down with a heavy hand where=20=

it's unnecessary," said Larry S. Fields, president of the American=20
Academy of Family Physicians. "I applaud HHS for taking this route."

But privacy advocates say the lack of civil fines has sent a clear=20
message that health organizations have little to fear if they violate=20
HIPAA.

"It's not being enforced very vigorously," said William R. Braithwaite=20=

of the eHealth Initiative and Foundation, an independent, nonprofit=20
research and advocacy organization based in Washington. "No one is=20
afraid of being fined or getting bad publicity. . . . As long as they=20
respond, they essentially get amnesty."

The approach has made health-care organizations complacent about=20
protecting records, several health-care consultants said. A recent=20
survey by the American Health Information Management Association found=20=

that hospitals and other providers are still not fully complying, and=20
that the level of compliance is falling.

"They are saying, 'HHS really isn't doing anything, so why should I=20
worry?' " said Chris Apgar of Apgar & Associates in Portland, Ore., a=20
health-care industry consultant.

Goldman and others also questioned why the government is not conducting=20=

more independent audits of compliance in addition to investigating=20
complaints.

"It's like when you're driving a car," said consultant Gary Christoph=20
of Teradata Government Systems of Dayton, Ohio. "If you are speeding=20
down the highway and no one is watching, you're much more likely to=20
speed. The problem with voluntary compliance is, it doesn't seem to be=20=

motivating people to comply."

Wilkinson's office has conducted just a "handful" of compliance=20
reviews, an HHS spokesman said, and completed one -- a case involving a=20=

radiology center that was dumping old files of patients into an=20
unsecured trash bin. The center agreed to hire a company to dispose of=20=

records and no fine was levied, the spokesman said.

Wilkinson said the size of his staff limits its ability to do much more=20=

than respond to complaints.

"We've had challenges with our resources investigating complaints," he=20=

acknowledged, saying they are complaint-driven. Wilkinson added, "We've=20=

been successful with voluntary compliance, so there has not been a need=20=

to go out and look."

But other government regulators take a different approach, privacy=20
advocates say.

"The Securities and Exchange Commission, the Federal Trade Commission=20
-- they find significant and high-profile cases and send a message to=20
industry about what is permitted and what isn't," said Peter Swire, an=20=

Ohio State University law professor who helped write the HIPAA=20
regulations during the Clinton administration.

Goldman and other privacy advocates point to numerous reports of health=20=

information being made public without patients' consent -- the recent=20
theft of millions of veterans' records that included some medical=20
information, a California health plan that left personal information=20
about patients posted on a public Web site for years, and a Florida=20
hospice that sold software containing personal patient information to=20
other hospices.

In the meantime, Goldman said, surveys continue to show that for fear=20
that their medical information will be used against them, people avoid=20=

seeking treatment when they are sick, pay for care out of pocket, or=20
withhold important details about their health from their doctors.

"The law came about because there was a real problem with people having=20=

their privacy violated -- they lost jobs, they were embarrassed, they=20
were stigmatized. People are afraid. The law was put in place so people=20=

wouldn't have to choose between their privacy and getting a job or=20
going to the doctor," said Goldman, who also heads the Health Privacy=20
Project, a Washington-based advocacy group. "That's still a huge=20
problem."


=A9 2006 The Washington Post Company