TMCnet News
Privacy rules yield 1 prosecution, U.S. official says: Investigations cleared 70 percent of 17,000 complaints filed under provisions of the Health Information Portability and Accountability Act, according to a federal spokesman.(Reading Eagle (PA) (KRT) Via Thomson Dialog NewsEdge) Feb. 24--The federal law that was supposed to be the watchdog over everyone's medical privacy appears to have more bark than bite. When privacy provisions to the 1996 Health Information Portability and Accountability Act, or HIPAA, were enacted three years ago, penalties up to $250,000 in fines and 10 years in prison created a scare that bordered on hysteria among medical care providers afraid of being prosecuted. Today, almost three years later, federal officials say they know of only one person who has ever been criminally prosecuted for violating HIPAA and there has not been a single civil fine levied against anyone. That's not just in Berks County, or Pennsylvania. "There have been no civil monetary fines issued by the Office of Civil Rights," said Patrick Hadley, a spokesman for the U.S. Department of Health and Human Services' Office of Civil Rights. "We have reviewed 17,000 complaints and have cleared 70 percent of those." The Office of Civil Rights files civil suits in cases of lesser violations. Malicious, largescale violations are prosecuted as criminal offenses and are investigated by the FBI and prosecuted by the U.S. Attorney's Office. There are no HIPAA police. Instead HIPAA is enforced on a complaint basis. Hadley said in order for a health care provider to commit a civil violation of the act, he or she would have to knowingly release private health information although not necessarily maliciously. "A criminal offense would involve knowingly obtaining protected health information under false pretenses with the intent of selling it," Hadley said. Richard Manieri, a spokesman for U.S. Attorney Patrick L. Meehan, of Pennsylvania's Eastern District, said there have been no criminal HIPAA violations prosecuted by the Philadelphia office, which covers eastern Pennsylvania and New Jersey. Douglass R. Hoffman, a former assistant U.S. attorney in the Philadelphia office who now works as a consultant to health care providers, said common sense is the best guide to complying with HIPAA. Hoffman said the only criminal case he is aware of involved a Seattle cancer clinic worker who used a patient's credit card information to steal $9,000. "Here is a case where local authorities would charge identity theft, but a federal prosecutor was able to charge under HIPAA because the man who stole the information was a health worker," Hoffman said. On Nov. 22, 2004, that defendant, Richard Gibson, 42, pleaded guilty to the HIPAA charges and was sentenced to 16 months in prison, Hoffman said. In July, the Justice Department issued an opinion limiting HIPAA prosecutions to health providers, insurers and third-party business on the institutional level and exempted individual health workers. According to that ruling, individuals such as Gibson would not be prosecuted unless there was evidence they violated the act with the intent to benefit their employer or corporation, officials said. |