Two years ago, when Bill Clinton had heart surgery performed in New York's Columbia Presbyterian Medical Center, 17 hospital employees -- including a doctor -- peeked at the former president's health care records out of curiosity. Earlier this year, Boston-based Brigham and Women's Hospital repeatedly faxed patient admission sheets to a nearby bank by accident. The faxing continued even after bank employees warned the hospital. In Hawaii, Wilcox Memorial Hospital lost a thumb drive containing personal information on every one of its 120,000 current and former patients.
None of the institutions involved in these incidents has been fined under the highly touted medical privacy law, known as HIPAA (Health Insurance Portability and Accountability Act).
In fact, there have been 22,664 HIPAA privacy-related complaints filed since the privacy rule took effect in 2004, and not a single institution has been fined for privacy lapses, according to the Department of Health and Human Services, which enforces HIPPA. It's not clear that any of the three incidents above generated HIPAA privacy complaints, so the total number of privacy-related incidents is no doubt higher.
Health privacy advocates are crying foul. One even calls HIPAA a "charade."
"It's a huge charade imposed on the public at great expense," said Twila Brase, president of the Citizens' Council on Health Care, a Minnesota patient-rights group. "The real scandal ... is that they called it a privacy rule."
Anyone who's been to a doctor's office or a hospital in the past three years knows HIPAA, even if they don't know it by name. Patients are now asked to sign an elaborate privacy information sheet when they first arrive at a medical practitioner's office. The form lists in detail consumers' rights to keep their health care information private; but it often seems to confuse the patients. A California HealthCare Foundation study released last year found that only 59 percent of consumers recalled having received the form, and of those, only one-quarter believed that HIPAA gives them additional rights.
Perhaps they're just using common sense, says Kate Borton, former head of security at Massachusetts General Hospital in Boston.
"I don't think (federal agencies) are taking this all that seriously," said Borton, now president of health privacy consulting firm The Marblehead Group. "Enforcement is a farce. ... There is no funding for what we call the HIPAA police. It's a joke because there aren't any HIPAA police."
'Informal' action work, agency says
Officials at the Department of Health and Human Services bristle at this measurement of HIPAA's success. They argue that the agency has used "informal means" to correct 76 percent of complaints about privacy deficiencies at hospitals and medical offices.
"Since our compliance effort began we have resolved thousands of cases through corrective actions," said a spokesman for the agency, who asked not to be identified because of agency policies. "We believe it's inappropriate and misleading to focus exclusively on lack of monetary penalties as a measure of the degree of compliance."
A process of informal resolutions from the agency, spurred by consumer complaints, has been well-received by health providers, who quickly amend their faulty processes, he said. "Those resolutions bring the benefits of the privacy rule to consumers much more quickly than the adversarial process of civil monetary penalties," the spokesman said. "It encourages cooperation."
The system could be compared to old-fashioned community policing, where a cop who lives in the neighborhood and walks the beat might knock on your door and give you give you five minutes to move your illegally parked car before giving you a ticket.
Only, at the Department of Health and Human Services, there are no cops walking the beat. HIPAA enforcement is entirely "complaint-driven," the agency indicated in its enforcement directive, published last year. And regulators were directed to always offer voluntary compliance terms first.
But the HHS spokesman said health providers are aware that such a friendly conversation could turn sour -- and cost money -- if they don't quickly respond to a complaint. "We are prepared to use our civil monetary penalty authorization in appropriate cases," he said.
'I don't think that's effective'
Privacy experts are skeptical. After nearly 23,000 complaints and no fines, many wonder if the system is really working as designed.
"An informal call from a regulator, we think that's an appropriate use of resources. But we have no reason to believe they have structured follow-up processes," said Paul Feldman, deputy director of the Health Privacy Project, health care think tank based at the Georgetown University Institute for Healthcare Research and Policy. "They will tell you they use a robust system of voluntary compliance, that they close three-quarters of the cases. … I'll leave it to your readers to decide if that's effective."
Still, Feldman believes HIPAA has at least moved the ball forward for patients, who previously had no formal way to complain about health care privacy problems. Today, the Office of Civil Rights in the Department of Health and Human Services has a structured mechanism for complaints, a step in the right direction.
And not everyone is critical of the HIPAA enforcement track record.
"It's hard to figure out if 22,000 is a big number," said Kirk J. Nahra a health care privacy law expert at the Wiley Rein & Fielding law firm in Washington, D.C. "There are a number of complaints that were thrown out because they involve things that have nothing to do with HIPAA.
"They've seen people trying to do the right thing and fix the problem if there was a problem. I don't see the conclusion that a lack of penalties … equates to people not paying attention to the rule."
A 10-year-old law
HIPAA dates to a federal law passed back in 1996, governing a wide variety of health records initiatives. The law directed Congress to enact additional privacy legislation, but federal lawmakers have so far failed to do so. Instead, Health and Human Services was directed to create this privacy regulation as a stop-gap measure. HIPAA's privacy rule took effect in April 2003.
In addition to the new paperwork for patients, the regulation created red tape for health care providers, who were required to create and track the privacy notices. Some say it also created paranoia for nurses, doctors and volunteers. Many health care firms read their employees the riot act over sharing any medical information at all, and in some cases, there have been over-reactions to the possibility of HIPAA fines. Family members sometimes have trouble sending flowers to hospitalized loved ones, for example, says patients' advocate Brase.
It's something she calls the "HIPAA hassle." The paranoia and confusion led the Health Privacy Project to create and publish a list of HIPAA myths.
But despite all that anxiety, complaints haven't led to any visible action by HHS, making privacy advocates like Brase wondering what's going on.
"The public thinks there's some sort of rule here," she said. "But it's a smokescreen."
HHS doesn't disclose details specific complaints, but Hadley said the allegations fall into five broad categories:
•Impermissible use or disclosure of an individual's health information, the most common complaint;
•A lack of adequate safeguards, such as unlocked doors or a computer screen facing a waiting room;
•Refusal or failure to provide an individual with access to or a copy of his or her records;
•Disclosure of more information than is minimally necessary to perform a health-related task;
•Failure to have an individual's valid authorization for disclosure.
In complaints, patients have described everything from unlocked cabinets containing personal information to nurses who announce patient data too loudly in waiting rooms. Other incidents involving data security, such as lost laptop computers with health information, are redirected to a different office at Health and Human Services, and governed by a separate security rule at the agency.
The Health Privacy Project, based in Washington D.C., offers far more detail in its collection of patient privacy nightmare stories -- an alarming 25-page document that summarizes hundreds of patient records thefts that have made headlines since implementation of HIPAA.
Tales range from bizarre to overwhelming. In one case, a retired school teacher was repeatedly called by a hospital that demanded she pay for amputation of her right foot; even though she still had both feet.
In another, Providence Health System in Oregon revealed that a burglar stole computer equipment containing health records on 365,000 patients from an employee's van.
HHS can do more than issue civil penalties; it can recommend the Department of Justice bring criminal charges against hospitals and other health care providers. So far, 332 criminal cases have been referred, but there have been only three prosecutions, all against individual health care workers. Justice spokesman Charles Miller said he couldn't discuss the status of the other cases.
What concerns Feldman most is the erosion of faith and trust if the public perceives that health information is not being carefully guarded or that privacy laws are not being enforced. Patients who don't believe their confidentiality will be preserved are less likely to tell their doctors about sensitive health matters -- to admit to occasional drug and alcohol use, for example – and that could endanger their care, he said.
But beyond that, faith in health record privacy is a critical component of the coming national electronic health record system. The Bush administration has established a goal that half of Americans have an electronic health record by 2014. At its best, the system would be a boon for patients and for researchers, who could conduct more accurate and immediate studies.
But if designed poorly, it could ease the work of identity thieves, voyeurs and other lurkers, who could steal or view records from any part of the system. To get the public to willingly participate, patients must have a lot of faith in health privacy. Lax enforcement of current rules could imperil future data sharing programs, Feldman said.
"(The system) can be brilliant," he said. "But we are looking for brilliant and protective."