Some privacy advocates say the law should be changed to give patients and their families explicit authority to specify who can -- and cannot -- see their medical records, although others in the industry argue that such stipulations would be very difficult to enforce.
Federal officials say they believe that implementation of the law strikes a balance between education and enforcement. Privacy violations are mainly investigated by the Health and Human Services Office for Civil Rights, and the office is required to try to resolve the problem before imposing fines or penalties.
"Where we have found noncompliance, we have been able to get systemic change that benefits all individuals," said Robinsue Frohboese, principal deputy director of the office. Health insurance plans and medical providers have had to retrain staff, make changes in computer systems and take other protective measures.
Enforcement of the law began almost five years ago, after a period of education and preparation. Of the 34,000 or so complaints received since then, only about 9,000 have actually led to investigations. Many of the others involved incidents that took place before the government started enforcing the law, Frohboese said. Of the 9,000 complaints her agency investigated, about 6,000 resulted in corrective measures; the remainder were dismissed.
In the five years of enforcement, the Health and Human Services Office for Civil Rights referred 426 complaints to the Justice Department for possible prosecution, Frohboese said. At first blush, the law seems rigorous, with criminal penalties of as much as $250,000 and 10 years in prison.
But federal prosecutors are not required to act on such complaints, and it's unclear whether any of the referrals prompted the few prosecutions that have taken place. Some of the cases appear to have arisen from fraud investigations that agents were already pursuing.
The first conviction for a HIPAA privacy violation came in 2004, in an identity fraud case involving an employee of the Seattle Cancer Care Alliance. Richard W. Gibson admitted that he had used a cancer patient's name, birth date and Social Security number to get four credit cards in the patient's name. He racked up more than $9,000 in debt buying video games, jewelry, groceries, gasoline and other personal items.
Frohboese said she could not comment on whether the agency would investigate UCLA Medical Center.
