Critics of HIPAA Say Law Is Too Lenient To Adequately Protect Patient Privacy

The "recent revelation" that University of California-Los Angeles Medical Center employees looked at the private medical files of high-profile and celebrity patients could prompt a review of the federal Health Insurance Portability and Accountability Act of 1996, the Los Angeles Times reports. Critics say that the law may be too lenient, particularly as more health records are being shifted to electronic systems.

Since enforcement of the law began five years ago, about 34,000 reports of privacy violations have been made to the federal government, and investigations were launched into 9,000 of those reports. About 6,000 resulted in corrective measures and the rest were dismissed, according to the Times. HHS has the authority to levy civil fines on health care providers for privacy violations but has not yet done so. In addition, a Department of Justice legal opinion has stated that HIPAA applies primarily to organizations and secondarily to individuals, such as low-level clerks who are implicated in data theft most often, the Times reports.

Some privacy advocates believe the law should be revised to give patients the ability to specify who can and cannot access their private medical information, but others in the industry say that would be difficult to enforce.

Some federal officials "say they believe that implementation of the law strikes a balance between education and enforcement," according to the Times. Robinsue Frohboese -- principal deputy director of HHS' Office for Civil Rights, which investigates reported privacy violations -- said, "Where we have found noncompliance, we have been able to get systemic change that benefits all individuals." Frohboese added that health care providers and insurers have had to retrain their staff, modify their technology and adopt other privacy protection measures (Alonso-Zaldivar, Los Angeles Times, 4/9).