When we visit the doctor, hospital or pharmacy we are letting strangers know intimate details about our lives. We trust that these people are professionals and that they’ll be discrete in handling our medical information. But in the electronic age, it’s easy for our protected health information to be disseminated among unauthorized people.
The American Recovery and Investment Act in 2009 financially incentivized health care providers to transfer patient records from hardcopy to an electronic format. These records are only supposed to be accessed by people who are directly facilitating your treatment. But a recent ProPublica investigation discovered that hundreds of health care providers nationwide repeatedly violated the federal Health Insurance Portability and Accountability Act between 2011 and 2014, and most of the violations went unpunished.
The law, which is commonly known as HIPAA, is the federal mandate that protects patients’ private medical information from any unauthorized persons. Violators are subjected to fines reaching up to $1.5 million or even imprisonment, but records obtained by ProPublica show that the Office for Civil Rights failed to penalize hundreds of HIPAA violations in the last four years, including infractions from well-known, repeat offenders such CVS, the U.S. Department of Veterans Affairs, Walgreens, Kaiser Permanente and Walmart.
These businesses serve millions of patients each year.
Among these well-known establishments, the VA was the most persistent HIPAA violator in the data, the ProPublica report states. On numerous occasions, the records show that VA employees spied on each other and on patients whose records they weren’t authorized to access.
“One employee accessed her ex-husband’s medical record more than 260 times. Another employee peeked at the records of a patient 61 times and posted details on Facebook. A third improperly shared a vet’s health information with his parole officer,” the ProPublica story states.
The OCR has many paths to take when deciding how to process HIPAA complaints. The most common approach is to give warnings and help health care providers fix the issues at hand. The office can also levy steep fines and then use the money to fund its operations. And in reckless cases where HIPAA is blatantly disregarded, the OCR can file criminal charges against the violators.
Despite this broad leverage, for undisclosed reasons the OCR isn’t using its broad power to punish repeat offenders. The Department of Health and Human Services shows that the OCR received nearly 18,000 HIPAA complaints in 2014, but it only filed six formal actions against offenders that year. And unfortunately for patients, a report from the HHS shows the organization isn’t keeping track of repeat HIPAA offenders, which further limits the power patients have to report violations and pursue reimbursement for damages.
The news for patients just gets worse from there. According to the ProPublica report, “HIPAA does not allow patients to sue health providers for damages if they violate the law. So if the federal government doesn’t enforce the law, there are often no consequences for breaking it, though some patients have found grounds to sue under some states’ law.”
This information is just the icing on a cake that is filled with freebie HIPAA violations throughout the recent years. It’s obvious that HIPAA isn’t working the way we expect it to or need it to. And the national transition to electronic health records, on top of the recent ICD-10 transition, is making medical records more accessible for would-be offenders, whether they’re accidental or malicious violations.
So what can be done about OCR’s disregard for enforcing its own policies?
One suggestion, talked about in length by the AMA Journal of Ethics, is to make patients the owners of their medical data and records, which in turn empowers them to dictate who has access to their information.
The forms you fill out before visiting a new doctor give them authorization to share the health information they’ll collect, but you don’t own that information. HIPAA prevents them from selling it or giving it to unauthorized vendors, but the information is technically theirs, which puts them in responsibility.
However, this method doesn’t offer many—if any—benefits over the current HIPAA policies. As the AMA paper states: “From the standpoint of protecting patients’ confidentiality, data ownership offers little improvement over the HIPAA Privacy Rule and the Common Rule. This suggests that patient ownership of data is not a fruitful path for reform. It would leave patients with many of the same dissatisfactions they have with the current regulations.”
The unfortunate answer is that we, as patients, don’t have viable, concrete options to recover damages from a HIPAA violation. And unless the OCR starts taking control of the situation, that’s unlikely to change.