HIPPAA Gutted Again - the Sound and Fury of Patient Privacy Laws in the U.S.
Yesterday, the U.S. Department of Justice issued a ruling that significantly weakens the enforcement provisions of the HIPAA (Health Insurance Portability and Accountability Act) Privacy Rule (see R. Pear, New York Times, 6/7/05). Under the new ruling, only covered entities (such as hospitals, doctors, and health plans)and not necessarily their employeescan be held accountable and prosecuted for criminal penalties under the Privacy Rule. This is a disturbing reversal and a stunning contradiction to the first criminal conviction under the Privacy Rule, whereby an employee of a consortium of cancer hospitals admitted to wrongful disclosure of a patients personal health information. Outside of that one criminal conviction and despite more than 13,000 complaints, the Department of Health and Human Services (HHS) has never issued a penalty for violations of the HIPAA Privacy Rule. The complaint-driven enforcement process of the Privacy Rule is already inadequate, but this ruling dramatically weakens the impact of the law and significantly limits the recourse patients have when their health information is illegally accessed, used, or disclosed.[thanks Darby Penney]This ruling is particularly distressing as the Bush administration continues to press for the development of a National Health Information Network (NHIN)with HHS Secretary Leavitt yesterday announcing the creation of a new advisory panel to set federal standards for a national electronic medical record (EMR) system. On the heels of the Secretarys announcement, the administrations ruling only continues to undermine the force of the first federal law protecting individuals sensitive health information. Given the administrations track record and the lack of any real commitment to ensuring that Americans personal health information will be protected, the Health Privacy Project (HPP) is seriously concerned that consumer and privacy advocates will not be fully represented on the advisory panel. The public is more concerned than ever about the privacy of their most sensitive information, especially in light of well-publicized privacy and security breaches at major financial and marketing firms.
Our fundamental concern is that without a strong and enforceable federal health privacy law, patients will continue to take steps to protect themselves from discrimination and stigma by limiting what they tell their doctors and avoiding health care. Such privacy-protective behavior is likely to increase if the government presses for an electronic health network that does not adequately safeguard the privacy and security of peoples sensitive health information.