HIPAA Regulatory Alert

Info-Tech Research Group says HIPAA is 'ineffective'

With only one enforcement criminal conviction recorded since 1996, HIPAA is failing to meet its mandate, according to Info-Tech Research Group. "HIPAA is a toothless tiger," says Info-Tech analyst Ross Armstrong. "The first problem is that HIPAA is complaint-driven, and complaint-driven enforcement doesn't work. The second problem is that in the one HIPAA-related conviction that has occurred, only the individual was charged and not the organization itself. If HIPAA is to be truly protective and useful, health care entities and their executives must be held accountable in the same way that Sarbanes-Oxley holds CEOs and CFOs responsible."

Armstrong also questions the government's commitment to enforcing HIPAA, noting a Government Accountability Office (GAO) report that the FBI can't account for all of the $379 million it was given from 2000 to 2003 to investigate HIPAA-related frauds.

Some of the money reportedly was shifted to counter-terrorism efforts, but no one could verify that the rest was properly spent on HIPAA, the GAO said.

"One conviction that netted $9,000 in penalties hardly seems worth an investment of over a third of a billion dollars," Armstrong says. "Without proper government agency oversight, it comes as little surprise that there has been only one HIPAA conviction."

Armstrong tells HIPAA Regulatory Alert the difference between aggressive enforcement of other information technology-related laws and HIPAA is striking.

"There's been a lot of enforcement success under Sarbanes-Oxley and the Fair Credit Reporting Act," he says, "with a lot of revenue coming to the government. But because HIPAA is complaint-driven, no one is held accountable for privacy breaches."

The one criminal conviction involved a charge by the victim against a health care worker for identity theft, according to Armstrong, and no action was taken against the covered entity for which the convicted person worked. "If HIPAA is to be truly protective of privacy," he says, "entities also must be held accountable."

Armstrong refers to surveys by the Healthcare Information and Management Systems Society and Phoenix Health Systems indicating there still is a significant amount of non-compliance with HIPAA requirements.

Covered entities, he states, say there is no adverse public relations effect in not complying with the law and also little fear of government action against them. "There are lots of potential penalties [in the enforcement rule]," he says, "but if they are not being enforced, no one cares."

Armstrong says Info-Tech's consulting business does a lot of work in health care but rarely is asked to work on HIPAA issues, another signal to him that there is little concern.

Contact Ross Armstrong at (888) 670-8889.