Good news for UMC: Privacy violations seldom punished

By Steve Kanigher

Sunday, Dec. 13, 2009 | 2 a.m.

Based on the track record, odds are against the federal government punishing anyone for leaking private patient information from University Medical Center.

The Health Insurance Portability and Accountability Act, known as HIPAA, took effect in April 2003, and through October, the Health and Human Services Department had fielded 47,632 allegations of patient privacy violations. Of those, 9,501 were found to be valid.

And how many criminal prosecutions occurred? The department did not answer that question for the Sun, but some experts put the number as low as five. Others say it is fewer than 20. Most were connected to another crime, usually identity theft — such as the case of a Washington man who worked at a cancer-treatment center. He pleaded guilty in 2004 to stealing patient information to obtain credit cards.

The federal law includes provisions for civil penalties for “covered entities,” meaning hospitals, clinics, doctors’ offices can be fined. But in the history of the law, only two “entities” have had to pay money to settle HIPAA violations. Providence Health & Service of Seattle agreed to pay $100,000 in July 2008, and retail giant CVS Pharmacy coughed up $2.25 million in January.

“For the most part, if you make a mistake under HIPAA and acknowledge it, they don’t penalize you,” says attorney Kirk Nahra of Washington, an expert on the law.

Georgetown University assistant research professor Joy Pritts, who specializes in medical information privacy for its Health Policy Institute, says the way the federal agency has “enforced” HIPAA for hospitals and clinics has been to give them an opportunity to plug their leaks instead of fines.

“The enforcement regulations under HIPAA give people one free bite of the apple with respect to civil violations,” Pritts says. “What Health and Human Services initially tried to do was to make sure it didn’t come down with a sledgehammer on those who were not familiar with the law.”

Now that the law is almost seven years old, just about every adult, even those who don’t work in the medical profession, is familiar with its restrictions.

And yet the law remains all bark and little bite, critics say.

“I believe it is because of the power the medical and pharmaceutical lobby has wielded to discourage enforcement,” says Abner Weintraub of Los Angeles, president of HIPAA Group Inc., a consultant to health care providers. “It’s disgusting — the fact that this is a law that could do some good, but there has been so little enforcement.”

Health and Human Services’ civil rights office handles HIPAA complaints. In response to a Sun inquiry about the lax enforcement of the law, the office sent an e-mail saying the agency is “committed to the strong and strenuous enforcement of the privacy of patient information.” But it also says: “Voluntary compliance and informal resolution are an efficient mechanism to resolve noncompliance and save resources for both (the civil rights office) and a covered entity.”

Some experts say the agency has been chronically underfunded and therefore must be selective when it comes to cracking down on lawbreakers.

“It took Congress six years to realize it had to fix HIPAA,” Pritts says.

Penalties’ cost increasing

The timing of the UMC case might result in those responsible for the leaks getting hit harder than they would have in the past — because there’s a new sheriff in town.

When President Barack Obama signed the American Recovery and Reinvestment Act in February to help stimulate the economy, the legislation included provisions to increase HIPAA’s civil penalties. If, for instance, a hospital repeatedly violates HIPAA, it can be fined up to $1.5 million a year for each provision it violates. The maximum had been $25,000 a year.

Provisions to encourage tougher enforcement of criminal violators are scheduled to kick in throughout 2010. The “covered entities” provision has been expanded to include businesses tied to hospitals and clinics.

The Obama administration is giving the impression that it will make the most of its strengthened HIPAA, but whether it will follow through remains to be seen, says Chicago attorney Edward Malone, who has written guides for hospitals on HIPAA laws.

Technically, for example, even University Medical Center CEO Kathy Silver could be considered at risk of criminal liability for her hospital’s violations of the federal law.

The law allows top administrators such as Silver to be held criminally responsible for breaches of security under certain circumstances, even if another employee leaked the information.

But authorities would have to be able to prove that a top administrator had direct knowledge or involvement in the leaks and didn’t take proper action to stop them.

“If it is part of a supervisor’s job to make sure patient information is secure and he didn’t establish proper safeguards, the supervisor could be held liable,” Malone says.

But HIPAA also requires hospitals to have privacy and security officers, so it is possible that liability would stop with those employees, Nahra says.

FBI probe under way

In UMC’s case, Silver has told the Sun that she had heard rumors about information being leaked from the trauma center this summer, but she didn’t get law enforcement involved until last month.

The FBI began investigating the leak of patients’ names, ages, addresses, Social Security numbers and injury details after the Sun exposed the leaks Nov. 20.

Silver told the Sun that instead of going to law enforcement when she first heard of the possible leaks, she conducted her own cursory investigation of attorneys who had requested medical records, but she concluded that nothing seemed unusual.

Silver said she was not even sure there was a leak until a Sun reporter informed her Nov. 19 that 21 patient records, dated Oct. 31 and Nov. 1, had been provided to the newspaper by a source as evidence of the leak. The source thinks the leaks had been going on for months.

Sun reporter Marshall Allen contributed to this story.