Candid comments on HIPAA privacy rules enforcement
Kari Myrold simply nailed the answer.
The privacy officer for Hennepin County Medical Center, Minneapolis, testified last week before the Senate Judiciary Subcommittee on Privacy, Technology and the Law, and her skewering response came near the end of a 90-minute hearing.
Sen. Richard Blumenthal (D-Conn.) asked Myrold whether the privacy and security regulations contained in the Health Insurance Portability and Accountability Act of 1996 have been effectively enforced.
Myrold didn't bust a gut laughing, but she might have after listening to two earlier witnesses. Subcommittee Chairman Sen. Al Franken (D-Minn.) had asked Loretta Lynch, a New York federal prosecutor who works for the Justice Department, and Leon Rodriguez, the head of HHS' Office for Civil Rights, to explain their respective organizations' records on HIPAA enforcement, or lack thereof.
Franken noted dryly that 64,000 privacy complaints have been filed with the OCR—and that nearly 500 were referred to the Justice Department for criminal investigation. But the Justice Department told his staff, Franken said, there have been just 16 HIPAA criminal prosecutions. Meanwhile, HHS had secured only one civil monetary penalty and six settlements, he said.
"These figures seem quite low," Franken deadpanned. "How would you explain them?"
Lynch allowed that some HIPAA cases are prosecuted under other criminal statutes. (Part of that has to do, most likely, with a legal opinion by one of the Justice Department's advisers that for a time all but gutted HIPAA's criminal provisions. Congress partially overturned that opinion in 2009.)
At any rate, the Justice Department doesn't track these HIPAA-linked cases, Lynch said. Rodriguez, who has been at his position for only a month, promised that the OCR would do a better job of enforcement.
Finally, here's one more bit of background, provided by witness Deven McGraw, a privacy lawyer at the Center for Democracy and Technology. McGraw begged the senators to lean on HHS to develop long-awaited regulations to implement more-stringent HIPAA privacy and security provisions called for in the American Recovery and Reinvestment Act of 2009.
"We really need the regs," McGraw said. "Congress, you wanted these provisions to go in effect one year post-enactment and here we are almost three years later and we don't have most of them."
Now we come to Myrold's refreshingly candid answer to Blumenthal's question: Have the HIPAA privacy and security laws been adequately enforced?
"Well, Senator Blumenthal," Myrold said, "listening to the previous two speakers, I began to wonder, what's wrong with the current enforcement provisions and why aren't we enforcing anything under the privacy rules? Are the facts not fitting within the context of the statute? Is it not a big enough case, and what's really going on there? Why aren't people encrypting? Why aren't business associates complying?
"I think a big reason is the final rules aren't here," Myrold continued. "People aren't taking it seriously. Until we actually get those final rules and people know that they're going to actually be enforced, you're probably not going to see a lot more compliance."
Follow Joseph Conn on Twitter: @MHJConn.