Why toughen HIPAA when nobody enforces it?

This week, House Ways and Means Committee members should be considering an economic stimulus package that includes provisions to beef up HIPAA. Yes, you heard me right--they're thinking about adding more stringent protections to a law that virtually never gets enforced anyway.

Sure, my headline is a bit of an exaggeration. Now and then, CMS has bagged a facility that seems to be committing particularly egregious HIPAA violations and slapped them with a fine. That's what happened last summer, for example, when a Seattle-based health system was hit with a $100,000 HIPAA fine after failing to secure various forms of data storage.

The truth is, however, that HIPAA enforcement has been anemic, to say the least. According to an HHS Inspector General's report issued late last year, CMS has not done a single security audit of hospital security systems since HIPAA went into effect in February 2006. (I suppose it doesn't help much that, according to IG research, CMS has received a grand total of 200 HIPAA complaints for the entire U.S.) 

Meanwhile, the existing HIPAA regs have had what could be called a chilling effect on how healthcare providers interact with patients, with many applying the rules in an arbitrary, inconsistent and unreasonable manner, according to professional observers and consultants.

I would suggest that given these concerns, now is a good time to re-evaluate how HIPAA has been implemented. CMS should take a close look at why so few HIPAA complaints come through its doors, and providers should do spot tests to see how their staff is handling compliance. And federal legislators should do more investigation into the state of HIPAA training, compliance and enforcement, too.

Hey, as a healthcare consumer, it's hard to criticize honest efforts to protect patients. But there's no point in piling on rules until you really understand the problem. - Anne