Posted by: Robert Markette
February 03, 2006

According to IT Research Group HIPAA is an ineffective “toothless tiger.”  The group  laments the lack of convictions for HIPAA violations and believes a complaint driven system is ultimately ineffective.  The group feels that healthcare executives need to be subject to liability for HIPAA violations in the same way they are subject to liability under other federal laws.  The Group also feels that HIPAA should be enforced more vigorously, in a manner similar to the Fair Credit Reporting Act.  Based upon what I have seen from providers, the vast majority are complying, in fact, they were guarding patient privacy quite well before HIPAA.  Because of this experience, I disagree with the idea that the government needs to enforce HIPAA more rigorously. 

The groups complaint overlooks is the difference between medical records privacy and other privacy laws.  The medical profession, like the legal profession, has a long history of zealously guarding patient privacy.  Patient privacy was governed by laws, regulations, and professional ethics long before the federal government decided to regulate patient privacy.  HIPAA, let us not forget, was a classic example of one or two well publicized mistakes leading to a rather sweeping, and unnecessary, federal regulation.  Patient privacy is not in any danger because the Feds have only obtained one conviction since 1996.

Furthermore, the fact that the feds have only prosecuted one case to conviction does not mean that providers are failing to comply with the rules.  It is partially a reflection on the lack of resources, but also the prioritization of the Department of Justice.  The DOJ has made it very clear that they do not intend to prosecute HIPAA criminal violations.  Frankly, many criminal violations of HIPAA would also be violations of other criminal statutes.  (HIPAA does not make it crime to inadvertently disclose PHI, there has to be some level of criminal intent.)  Individuals such as the gentlemen out west who was convicted of a criminal violation of HIPAA will still be subject to criminal prosecution for obtaining patient PHI for their own use, with or without HIPAA prosecutions.   In that case, the defendant was charged with a number of other federal crimes, but pled to a violation of HIPAA.

The other complaint is using a complaint driven enforcement model.  Many federal regulations are enforced through a complaint driven model.  I can think of two examples, wage and hour regulations and EEOC.  Both of these regulations are sweeping and more directly affect individuals than HIPAA.  However, the enforcement of these matters is driven almost exclusively by complain and they are enforced quite thoroughly.  Complaint driven models can be a very effective way to enforce a regulatory scheme.

All of the discussion of enforcement stems from a belief that without sweeping government regulations that are enforced vigorously, patient information will not be protected.  However, patient information was protected for many years before HIPAA. Enacting HIPAA has created yet one more regulatory monster for health care providers to tame, but the large cost of HIPAA compliance has not resulted in a similarly large increase in the protection of patient confidentiality.  Subjecting health care providers to even more draconian prosecution efforts in Sarbanes Oxley style HIPAA enforcement will only serve to drive the costs of compliance up, yet will not likely reap any further benefit in patient privacy. 

This is because health care professionals were going to great lengths to protect patient privacy before they began implementing HIPAA.  Unlike other professions that are not regulated by federal laws, health care professionals took it as a fundamental matter of professionalism to keep patient information confidential.  HIPAA compliance did not change a great deal for health care providers, except increasing by one the number of policies and procedures manuals on their shelves.

News

Health Care

[08/15] Catalyst Pharmaceutical Partners Reports Second Quarter 2008 Financial Results
[08/15] Salmonella outbreak winds down; questions remain
[08/15] 6 get Legionnaires' disease in upstate NY; 1 dies
[08/15] NYC heroes lift bus off pregnant woman; baby saved
[08/15] NYC heroes lift bus off pregnant woman; baby saved
[08/15] Former half-ton man endures hard times in Nebraska
[08/15] AP Interview: Doctor behind executions speaks out
[08/14] University Hospitals Receives $22.6 Million Donation from Harrington and McLaughlin Families
[08/14] The National Kidney Foundation's 7th Annual Ronald D. Paul Companies Kidney Walk to be Held on Saturday, September 20
[08/14] Best Practice Database adds Research on New Product Launch
Read More

Web Resources

FindLaw
Thomson West
U.S. Courts
Westlaw
United States Chamber of Commerce
FirstGov
Legislative Branch
Library of Congress
White House
Internal Revenue Service
National Weather Service
Yahoo!Maps
YellowPages.com
New York Times
Newspapers Online
USA Today
Wall Street Journal
AOL
Google
Yahoo!Legal Blog Directory