You Are A Market, Not a Patient

Medical Privacy Law Nets No Fines
Lax Enforcement Puts Patients' Files At Risk, Critics Say

By Rob Stein
Washington Post Staff Writer
Monday, June 5, 2006; A01

In the three years since Americans gained federal protection for their private medical information, the Bush administration has received thousands of complaints alleging violations but has not imposed a single civil fine and has prosecuted just two criminal cases.

Of the 19,420 grievances lodged so far, the most common allegations have been that personal medical details were wrongly revealed, information was poorly protected, more details were disclosed than necessary, proper authorization was not obtained or patients were frustrated getting their own records.

The government has "closed" more than 73 percent of the cases -- more than 14,000 -- either ruling that there was no violation, or allowing health plans, hospitals, doctors' offices or other entities simply to promise to fix whatever they had done wrong, escaping any penalty.

"Our first approach to dealing with any complaint is to work for voluntary compliance. So far it's worked out pretty well," said Winston Wilkinson, who heads the Department of Health and Human Services' Office of Civil Rights, which is in charge of enforcing the law.

While praised by hospitals, insurance plans and doctors, the approach has drawn strong criticism from privacy advocates and some health industry analysts. They say the administration's decision not to enforce the law more aggressively has not safeguarded sensitive medical records and has made providers and insurers complacent about complying.

"The law was put in place to give people some confidence that when they talk to their doctor or file a claim with their insurance company, that information isn't going to be used against them," said Janlori Goldman, a health-care privacy expert at Columbia University. "They have done almost nothing to enforce the law or make sure people are taking it seriously. I think we're dangerously close to having a law that is essentially meaningless."

The debate has intensified amid a government push to computerize medical records to improve the efficiency and quality of health care. Privacy advocates say large, centralized electronic databases will be especially vulnerable to invasions, making it even more crucial that existing safeguards be enforced.

The highly touted Health Insurance Portability and Accountability Act -- known as HIPAA -- guaranteed for the first time beginning in 2003 that medical information be protected by a uniform national standard instead of a hodgepodge of state laws.

When privacy comes into conflict with an opportunity for data mining and marketing, marketing always wins. HIPAA is a failure, except in its ability to further complicate our lives and those of the practitioners we need to consult.

My ISP continue to have service problems: there are websites I cannot load continuing today and that is going to slow down posting. Sorry. My local cable monopoly has been pretty good about keeping things running, so I don't know what is going on today.