On Feb. 22, as the 15th anniversary of the Health Insurance Portability and Accountability Act approached, HHS' Office for Civil Rights fired off the health information privacy equivalent of the shot heard round the world: It actually fined someone for violating the law. In fact, the Office for Civil Rights pretty much threw the book, in the form of a $4.3 million civil penalty, at Cignet Health, a Maryland-based health plan, for failing to allow patients access to their medical records and especially for not cooperating with its investigation. Shortly thereafter, 907-bed Massachusetts General Hospital, Boston, and UCLA Health System, Los Angeles, also were penalized for violating HIPAA.
Generally speaking, laws work better if they're enforced
Georgina Verdugo, director of the Office for Civil Rights, said, “We hope the healthcare industry will take a close look at this … and recognize that OCR is serious about HIPAA enforcement.”
Yet there was an odd tone in the many commentaries that followed that announcement. An e-mail from the law firm of Epstein Becker & Green observed, “After years of little or no enforcement, (HIPAA) has been supercharged.” Paul Roberts, who writes for Internet security firm Kaspersky Lab's online newsletter, was far less polite: “The healthcare industry's toothless tiger has finally bared its teeth. … The action is the first monetary fine issued since the act was passed in 1996.”
Indeed, as Lora Bentley wrote on the IT Business Edge website in 2009, “Since (HIPAA) became law, enforcement has been a weak link. The number of covered entities that are in full compliance has been low, simply because (HHS) hasn't had much of an enforcement mechanism in place.”
But after 15 years, HIPAA (or at least its privacy provisions) is being enforced, with something resembling a vengeance. That should be a wake-up call for noncompliant providers, as well as for those officials who are tasked with implementing the Patient Protection and Affordable Care Act. (For more on this topic, read “HIPAA at 15,” Aug. 22, p. 12.)
To be fair, some of the reasons for the lack of HIPAA enforcement were beyond the federal government's control. The law's major provisions were insurance reforms, particularly in the small-group and individual market, and privacy protections. The insurance provisions were to be enforced by the states, with backup from what was then HCFA (now the CMS); the Office for Civil Rights was charged with enforcing the privacy provisions.
Neither side of the equation worked too well.
Why? For one thing, splitting authority between states and the feds is rarely effective; look at the troubled history of Medicaid. Furthermore, as Maria Hoving Friedman (no relation to the author), who served as public affairs director for what was then HCFA, notes, “HIPAA was doomed to be a failure from the outset because the states exerted their right to retain control over insurance regulation, which meant that federal enforcement was going to be a minimal.” Also, if state laws were stricter than federal statute, the state laws applied, even if they were not enforced
Thus, HIPAA provisions regarding guaranteed issuance of coverage, guaranteed renewal, limits on pre-existing condition exclusions and portability were largely ignored by insurers and employers alike in some states.
Also, the Office for Civil Rights did not have the money to pursue aggressive enforcement of the privacy provisions, and there was a general lack of political appetite for taking on insurers, employers or providers.
What changed? For one thing, the HITECH Act, which was part of the 2009 economic stimulus law, beefed up what HHS could do, from increasing what were paltry fines to extending liability to entities that do business with HIPAA-covered organizations.
Also, as Maria Friedman puts it, “People just got fed up with all the privacy breaches, whether it was violations of celebrities' medical records or people leaving laptops containing the personal information of thousands of patients in unlocked cars, and the identity theft that can follow.”
Yet during the 14� years of not being enforced, most providers—despite conflicting federal and state regulations and vague guidance—tried to comply with HIPAA and protect patient information. One can only guess about how frustrating it must have been for them to see others playing fast and loose with what they were trying to secure.
They weren't alone; according to a recent survey, 78% of U.S. adults are worried about the privacy and security of their personal healthcare information.
How might this saga influence implementation of the Affordable Care Act? HHS Secretary Kathleen Sebelius has already issued more than a thousand waivers to employers, states, religious groups and others, excusing them either temporarily or permanently from complying with the law. The waivers range from letting the state of Maine allow insurers to spend less on claims than the law permits to telling McDonald's Corp. that it's OK to sell “mini-med” policies to employees that are so skimpy they wouldn't cover an emergency department visit. How far can this go before the law becomes ineffective, even if the courts uphold it?
There is little point in passing a law if it is not going to be enforced. It becomes not only an exercise in hypocrisy, but also a cruel raising of false hopes. HIPAA's privacy provisions now have muscle behind them, and many of its insurance provisions were incorporated into the ACA. It would be nice if both laws were applied as those who created them intended.
Send us a letter
Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.