Another major flaw in HIPAA was revealed in 2005 after HHS referred several hundred privacy cases to the Justice Department, which responded with the opinion that HIPAA’s criminal statute does not apply to individuals — even those responsible for reprehensible acts. By that standard, employees of covered entities who choose to sell personal medical information or even hackers who break into databases and steal health records are not in violation of the law.
Even before that opinion, HHS’ ability to punish violators of HIPAA rules was suspect. In the three years since Congress approved HHS’ final recommendations on privacy, the department has received about 18,000 complaints of HIPAA violations. To date, only two have been prosecuted. “Basically, with the way things are right now, you have the right to whine to a federal agency,” said Dr. Deborah Peel, a Texas psychiatrist and chairwoman of the Patient Privacy Rights Foundation. “It’s not exactly the most useful way to enforce problems.”
And in fact, it could have potentially destructive consequences for health information privacy. “The level of interest and attention and fear-driven compliance have gone down significantly in the last year,” Braithwaite said. “If there’s a complaint to HHS, people are now recognizing that all they have to do is respond and say, ‘Okay, we’ll fix that,’ and the problem goes away.”
This is a great roundup of arguments and issues.