Medical Privacy Law Nets No Fines

Representatives of hospitals, insurance companies, health plans and doctors praised the administration's emphasis on voluntary compliance, saying it is the right tack, especially because the rules are complicated and relatively new.

"It has been an opportunity for hospitals to understand better what their requirements are and what they need to do to come into compliance," said Lawrence Hughes of the American Hospital Association.

"We're more used to the government coming down with a heavy hand where it's unnecessary," said Larry S. Fields, president of the American Academy of Family Physicians. "I applaud HHS for taking this route."

But privacy advocates say the lack of civil fines has sent a clear message that health organizations have little to fear if they violate HIPAA.

"It's not being enforced very vigorously," said William R. Braithwaite of the eHealth Initiative and Foundation, an independent, nonprofit research and advocacy organization based in Washington. "No one is afraid of being fined or getting bad publicity. . . . As long as they respond, they essentially get amnesty."

The approach has made health-care organizations complacent about protecting records, several health-care consultants said. A recent survey by the American Health Information Management Association found that hospitals and other providers are still not fully complying, and that the level of compliance is falling.

"They are saying, 'HHS really isn't doing anything, so why should I worry?' " said Chris Apgar of Apgar & Associates in Portland, Ore., a health-care industry consultant.

Goldman and others also questioned why the government is not conducting more independent audits of compliance in addition to investigating complaints.

"It's like when you're driving a car," said consultant Gary Christoph of Teradata Government Systems of Dayton, Ohio. "If you are speeding down the highway and no one is watching, you're much more likely to speed. The problem with voluntary compliance is, it doesn't seem to be motivating people to comply."

Wilkinson's office has conducted just a "handful" of compliance reviews, an HHS spokesman said, and completed one -- a case involving a radiology center that was dumping old files of patients into an unsecured trash bin. The center agreed to hire a company to dispose of records and no fine was levied, the spokesman said.

Wilkinson said the size of his staff limits its ability to do much more than respond to complaints.

"We've had challenges with our resources investigating complaints," he acknowledged, saying they are complaint-driven. Wilkinson added, "We've been successful with voluntary compliance, so there has not been a need to go out and look."

But other government regulators take a different approach, privacy advocates say.

"The Securities and Exchange Commission, the Federal Trade Commission -- they find significant and high-profile cases and send a message to industry about what is permitted and what isn't," said Peter Swire, an Ohio State University law professor who helped write the HIPAA regulations during the Clinton administration.

Goldman and other privacy advocates point to numerous reports of health information being made public without patients' consent -- the recent theft of millions of veterans' records that included some medical information, a California health plan that left personal information about patients posted on a public Web site for years, and a Florida hospice that sold software containing personal patient information to other hospices.

In the meantime, Goldman said, surveys continue to show that for fear that their medical information will be used against them, people avoid seeking treatment when they are sick, pay for care out of pocket, or withhold important details about their health from their doctors.

"The law came about because there was a real problem with people having their privacy violated -- they lost jobs, they were embarrassed, they were stigmatized. People are afraid. The law was put in place so people wouldn't have to choose between their privacy and getting a job or going to the doctor," said Goldman, who also heads the Health Privacy Project, a Washington-based advocacy group. "That's still a huge problem."