Peeking at patient records is not just a Hollywood pastime, according to Mark Rothstein, a lawyer and the director of the Institute for Bioethics, Health Policy and Law at the University of Louisville (Ky.) School of Medicine.
“For example, I remember that Bill Clinton's health records were viewed inappropriately when he was at a New York hospital for his heart operation,” Rothstein said. “It is relatively easy to track the unauthorized entry using audit trails, but that doesn't seem to be enough to prevent this.”
Rothstein suggests registering all celebrity patients under an alias and having a unique log-on procedure for celebrities that changes. Another strategy, he said, is “publicizing that strict discipline will follow any inappropriate access to health records.”
“Civil and criminal liability might be a powerful deterrent, but I don't see that happening,” said Rothstein, who served as chairman of the subcommittee on privacy and confidentiality of an HHS advisory panel, the National Committee on Vital and Health Statistics, from 1999 to 2008. “I don't see criminal prosecution as a high priority either for the Justice Department or the states. Also, there is no private remedy under the (HIPAA) privacy rule, so that individuals, whose records were unlawfully accessed, assumedly with some harm as a result, would have to bring a common law invasion of privacy case.”
The Office for Civil Rights at HHS, the chief enforcement officer of the HIPAA privacy and security rules, got off to a slow start in imposing civil penalties or fines on individual violators while the Justice Department started fast and then hit the pause button on criminal sanctions.
The compliance deadline for HIPAA's privacy rule was April 14, 2003, and the security rule, April 20, 2005.
ONC's first monetary penalty, $4.3 million, against a Maryland payer, Cignet Health, for privacy rule violations wasn't until February, 2011.
The ONC also has reached several settlement agreements with alleged HIPAA violators, including one last week with insurance giant WellPoint.
Soon after the HIPAA privacy rule went into effect, a Seattle healthcare worker, Richard Gibson, stole the identity of a cancer patient, Eric Drew, and went on a shopping spree in Drew's name. In 2004, Gibson was the first person to be criminally prosecuted, found guilty and sent to prison under HIPAA. But a year later, a Justice Department lawyer severely restricted the scope of the HIPAA criminal penalty provision, saying in a binding legal opinion that “covered entities,” not individuals, were liable for criminal prosecution under HIPAA. Congress overturned that opinion until a 2009 “clarification” inserted in the American Recovery and Reinvestment Act, saying HIPAA violations should apply to individuals, too.
Meanwhile, prosecutions for peeking, while not unheard of, are few and far between.
In 2009, a physician and two employees of Arkansas healthcare organizations were fined and sentenced to probation for unauthorized peering at the medical records of a local TV journalist who had been killed.
And in 2010, Huping Zhou, a research assistant at UCLA Health System in Los Angeles, was sentenced to serve four months in federal prison for peeking into hundreds of patient records, including those of movie stars Drew Barrymore, Tom Hanks and Cameron Diaz.
Rose said the feds have since picked up the tempo of privacy rule enforcement. “There was day when people could say there were no HIPAA police,” she said. “Now, there are HIPAA police. I think OCR has definitely put the iron fist down a lot harder in the last few years.”
Follow Joseph Conn on Twitter: @MHJConn