[Med-privacy] HIPAA privacy enforcement

[peter marshall]

Wednesday, April 09, 2008
Effectiveness of medical privacy law is questioned

Despite 34,000 complaints of violations in the last five years, the=20
federal act has resulted in only a few prosecutions, and no civil fines=20=

have been levied.

By Ricardo Alonso-Zaldivar
April 09, 2008 in print edition A-10

When Congress passed a federal medical privacy law more than a decade=20
ago, it was hailed as a new level of protection for patients=20
nationwide. But even though the government has received about 34,000=20
complaints of privacy violations since it officially began enforcing=20
the law five years ago, only a handful of defendants have been=20
criminally prosecuted.

The half a dozen or so cases mainly involved clerical workers who=20
pilfered patient information, using it to open credit card accounts or=20=

selling it to crooks who tried to bilk Medicare and the Internal=20
Revenue Service.

Moreover, although the federal Health and Human Services Department has=20=

the authority to levy civil fines on medical service providers for=20
privacy violations, it has yet to do so.

The recent revelation of snooping by UCLA Medical Center employees into=20=

the files of Britney Spears, Farrah Fawcett, California first lady=20
Maria Shriver and dozens of other patients, however, may force a second=20=

look at the federal law, widely known as HIPAA, the Health Insurance=20
Portability and Accountability Act of 1996.

Critics say the government=92s approach =96 which focuses on getting=20
providers to correct violations =96 may be too lenient, particularly at =
a=20
time when medical records are increasingly being shifted from file=20
folders to computers. In addition, a Justice Department legal opinion=20
has stated that the law applies primarily to organizations =96 =
hospitals,=20
health insurance plans and doctors=92 offices =96 and only secondarily =
to=20
individuals such as the low-level clerks most often implicated in=20
information theft.

=93If you are punishing the [organization] but not the person who=20
actually did the dirty deed, then we are missing the boat,=94 said =
Doreen=20
Z. McQuarrie, a Houston lawyer who specializes in healthcare issues and=20=

has studied the federal law.

The law was supposed to have had its greatest impact behind the scenes,=20=

ushering in a new era of sensitivity to patient privacy in the=20
healthcare industry. But skeptics say that has not been the case.

=93What the rules were supposed to do was regulate one of the most =
common=20
conversations we have: =91How are you?=92 =94 said Dennis Melamed, =
editor of=20
the Health Information Privacy/Security Alert, which tracks the law and=20=

its enforcement. =93They did it with an incomplete set of instructions,=20=

and when you are talking about an industry as huge as healthcare, that=20=

gets to be pretty difficult.=94

Some privacy advocates say the law should be changed to give patients=20
and their families explicit authority to specify who can =96 and cannot =
=96=20
see their medical records, although others in the industry argue that=20
such stipulations would be very difficult to enforce.

Federal officials say they believe that implementation of the law=20
strikes a balance between education and enforcement. Privacy violations=20=

are mainly investigated by the Health and Human Services Office for=20
Civil Rights, and the office is required to try to resolve the problem=20=

before imposing fines or penalties.

=93Where we have found noncompliance, we have been able to get systemic=20=

change that benefits all individuals,=94 said Robinsue Frohboese,=20
principal deputy director of the office. Health insurance plans and=20
medical providers have had to retrain staff, make changes in computer=20
systems and take other protective measures.

Enforcement of the law began almost five years ago, after a period of=20
education and preparation. Of the 34,000 or so complaints received=20
since then, only about 9,000 have actually led to investigations. Many=20=

of the others involved incidents that took place before the government=20=

started enforcing the law, Frohboese said. Of the 9,000 complaints her=20=

agency investigated, about 6,000 resulted in corrective measures; the=20
remainder were dismissed.

In the five years of enforcement, the Health and Human Services Office=20=

for Civil Rights referred 426 complaints to the Justice Department for=20=

possible prosecution, Frohboese said. At first blush, the law seems=20
rigorous, with criminal penalties of as much as $250,000 and 10 years=20
in prison.

But federal prosecutors are not required to act on such complaints, and=20=

it=92s unclear whether any of the referrals prompted the few =
prosecutions=20
that have taken place. Some of the cases appear to have arisen from=20
fraud investigations that agents were already pursuing.

The first conviction for a HIPAA privacy violation came in 2004, in an=20=

identity fraud case involving an employee of the Seattle Cancer Care=20
Alliance. Richard W. Gibson admitted that he had used a cancer=20
patient=92s name, birth date and Social Security number to get four=20
credit cards in the patient=92s name. He racked up more than $9,000 in=20=

debt buying video games, jewelry, groceries, gasoline and other=20
personal items.

Frohboese said she could not comment on whether the agency would=20
investigate UCLA Medical Center.

California has its own medical privacy law. Under the 1981=20
Confidentiality of Medical Information Act, any =93person or entity=94 =
that=20
=93obtains, discloses or uses=94 patient information without =
authorization=20
faces civil fines of $2,500 to $250,000.

But no one seems to know how often or even whether such fines have been=20=

levied.

The law leaves jurisdiction to the courts, not to state health=20
officials. City attorneys, county district attorneys and the state=20
attorney general can bring lawsuits on behalf of patients =96 if they or=20=

the patients know about the breach.

The state Department of Public Health said last week that it had opened=20=

an investigation of UCLA Medical Center under a separate state law=20
governing the licensing and certification of hospitals and other=20
healthcare facilities.

The steps it can take under this law are limited. If state=20
investigators find deficiencies, the institution under investigation=20
must create a plan of correction. The state reviews the plan, then=20
revisits the hospital to make sure the problems have been fixed.

=93This doesn=92t mean that the state doesn=92t have some tools beyond =
the=20
Department of Public Health,=94 said Kim Belshe, secretary of the =
state=92s=20
Health and Human Services Agency, on Tuesday. =93My understanding is =
that=20
we could refer the case to the attorney general to enforce the=20
[Confidentiality of Medical Information Act], or to the local district=20=

attorney or the city attorney. We=92re looking at all three.=94

ricardo.alonso-zaldivar @latimes.com

Times staff writer Mary Engel contributed to this report.