Monday, June 05, 2006

ENFORCING HEALTH PRIVACY LAW -- "In the three years since Americans gained federal protection for their private medical information, the Bush administration has received thousands of complaints alleging violations but has not imposed a single civil fine and has prosecuted just two criminal cases."

The highly touted Health Insurance Portability and Accountability Act -- known as HIPAA -- guaranteed for the first time beginning in 2003 that medical information be protected by a uniform national standard instead of a hodgepodge of state laws.

The law gave the job of enforcement to HHS, including the authority to impose fines of $100 for each civil violation, up to a maximum of $25,000. HHS can also refer possible criminal violations to the Justice Department, which could seek penalties of up to $250,000 in fines and 10 years in jail.

Wilkinson would not discuss any specific complaints but said his office has "been able to work out the problems . . . by going in and doing technical assistance and education to resolve the situation. We try to exhaust that before making a finding of a technical violation and moving to the enforcement stage. We've been able to do that."

About 5,000 cases remain open, and some could result in fines, Wilkinson said. "There might be a need to use a penalty. We don't know that at this stage."

His office has referred at least 309 possible criminal violations to the Justice Department. Officials there would not comment on the status of those cases other than to say they would have been sent to offices of U.S. attorneys or the FBI for investigation. Two cases have resulted in criminal charges: A Seattle man was sentenced to 16 months in prison in 2004 for stealing credit card information from a cancer patient, and a Texas woman was convicted in March of selling an FBI agent's medical records.