HIPAA Privacy Law Has Resulted in No Civil Fines, Despite Numerous Complaints

Although HHS has received more than 19,000 grievances regarding alleged violations of medical privacy provisions in the Health Insurance Portability and Accountability Act, the agency has levied no civil fines and prosecuted just two criminal cases, according to reports. Since its implementation in 2003, HIPAA has guaranteed a uniform federal law for ensuring the privacy of medical records. HHS has the authority to impose fines for civil violations ranging from $100 to $25,000, and officials can refer possible criminal violations to the Department of Justice. The government has closed more than 14,000 of the 19,420 filed grievances, either ruling that a violation did not occur or allowing health care providers and insurers to correct violations voluntarily without issuing a penalty. At least 309 cases have been referred to DOJ. The most common allegations involve improper disclosure of medical records, inadequate security for records, failure to obtain authorization to disclose records or difficulty for patients seeking to obtain their own records. An HHS spokesperson said the agency has conducted a "handful" of compliance reviews. Privacy advocates say the need to enforce HIPAA will increase if or when the federal government is successful in its effort to implement a system of electronic health records.