Nice law, no teeth

6/11/2006

HIPAA, the federal law intended to protect personal medical information, has been breached so often that it might as well not exist.

The U.S. Department of Health and Human Services is responsible for enforcing the Health Insurance Portability and Accountability Act, but complains that a limited staff hinders executing HIPAA, as the law is commonly known. That's no excuse. Once violations are met with tough penalties and steep fines, the profession will begin to take HIPAA seriously.

Americans are well acquainted with HIPAA. Since it went into effect three years ago, anyone who has had medical care has had to sign a form indicating that they are aware of the law. But that's futile when nothing is done to make hospitals, doctors, and insurers adhere to it. Almost 20,000 grievances have been filed, with complaints ranging from poorly protecting and wrongly revealing personal medical information, to patients becoming frustrated trying to get their own records.

When met with a clear violation, the HHS's Office of Civil Rights encourages "voluntary compliance." So instead of getting a fine or some other tough penalty, violators are told to right their wrongs. So what's the point of the law? Why make patients sign the forms if violators are not penalized? That makes the law meaningless.

The lax approach leaves nothing to compel the health-care profession to comply. Not surprisingly, insurance companies, hospitals, and doctors like the emphasis on voluntary compliance. That means they don't have to worry about $100 fines for each civil violation of the law, or having the Justice Department seek up to $250,000 in fines and 10 years in jail for criminal violations.

This cannot continue. The Department of Health and Human Services must enforce HIPAA. Once the federal agency begins to do its job and clamp down on violators, others in health care will get the message and comply. The sad truth is that HHS should have been doing so all along.