Bob Sullivan has an article at Red Tape, “Health care privacy law: All bark, no bite?” and focuses on the lack of penalties.
Two years ago, when Bill Clinton had heart surgery performed in New York’s Columbia Presbyterian Medical Center, 17 hospital employees — including a doctor — peeked at the former president’s health care records out of curiosity. Earlier this year, Boston-based Brigham and Women’s Hospital repeatedly faxed patient admission sheets to a nearby bank by accident. The faxing continued even after bank employees warned the hospital. In Hawaii, Wilcox Memorial Hospital lost a thumb drive containing personal information on every one of its 120,000 current and former patients.
None of the institutions involved in these incidents has been fined under the highly touted medical privacy law, known as HIPAA (Health Insurance Portability and Accountability Act).
“Since our compliance effort began we have resolved thousands of cases through corrective actions,” said a spokesman for the agency, who asked not to be identified because of agency policies. “We believe it’s inappropriate and misleading to focus exclusively on lack of monetary penalties as a measure of the degree of compliance.”
A process of informal resolutions from the agency, spurred by consumer complaints, has been well-received by health providers, who quickly amend their faulty processes, he said. “Those resolutions bring the benefits of the privacy rule to consumers much more quickly than the adversarial process of civil monetary penalties,” the spokesman said. “It encourages cooperation.”
I’d like to ask two questions:
First, this means complaints are dropping, right, because there’s a measure of compliance, and complaints are going down?
Second, what would it take to get the agency to fine people?