The Senate Judiciary Subcommittee on Privacy, Technology, and Law recently held a hearing to discuss federal enforcement of the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act, entitled “Your Health and Your Privacy: Protecting Health Information in a Digital World.” In that hearing, Subcommittee Chairman Al Franken (D-MN) told officials from the Department of Health and Human Services (HHS) and the Department of Justice (DOJ) that “the overall record of [HIPAA] enforcement is simply not satisfactory,” and asked why so few HIPAA complaints are actually prosecuted.  Franken and other panelists also emphasized the need for a final rule to implement the HITECH Act’s amendments to the HIPAA Privacy and Security Rules. 

Franken’s opening statement outlined the benefits of electronic health records, but emphasized that “we need to do more to protect this data and that is what this hearing is all about.”

The first panel included U.S. Attorney Loretta Lynch, who also serves on the Health Care Fraud Working Group of the Attorney General’s Advisory Committee, and Leon Rodriguez, Director of the HHS Office for Civil Rights (OCR).  Both officials underscored their agencies’ commitment to enforcing medical privacy laws through HIPAA’s Privacy and Security Rules and the new HITECH Act.  Lynch testified about recent DOJ efforts to enforce HIPAA’s criminal provisions, while Rodriguez cited OCR cases against Massachusetts General Hospital and CVS/Rite Aid that led to substantial fines.

Franken countered that, while DOJ and OCR may be “ramping up” enforcement, the lack of enforcement in the vast majority of cases was “simply not satisfactory.” Since 2003, HHS has received 22,500 HIPAA complaints that it has the authority to investigate, but OCR imposed a formal fine in only one case and reached a settlement in only six others. During that time, HHS referred 495 HIPAA complaints to DOJ, but these referrals led to only 16 HIPAA prosecutions.  While Franken allowed that some of these cases may have been prosecuted under other statutes, DOJ does not track how many HHS-referred HIPAA cases are ultimately prosecuted on other grounds.  Franken suggested that such data is necessary to conduct effective oversight and proposed working with Lynch to more effectively monitor the disposition of HHS HIPAA referrals.

The hearings also highlighted the need for a final rule to implement major provisions of the new HITECH Act, including those related to business associates and breach notification requirements.  Franken characterized the lack of final HITECH regulations as “a really big problem,” and questioned Rodriguez about when Congress can expect a final rule from HHS.  Rodriguez did not provide a specific timetable.

The hearing’s second panel reiterated the need for a final HITECH rule.  Deven McGraw, Director of the Health Privacy Project at the Center for Democracy and Technology, characterized the HITECH rulemaking process as “agonizingly slow” and testified that “we need the regs” for actual progress to be made.  McGraw also testified about the lack of a “consistent enforcement environment,” and the need for greater transparency surrounding HIPAA enforcement.

Kari Myrold, Privacy Officer for the Hennepin County Medical Center in Minneapolis, Minnesota, testified that the lack of a final HITECH Rule is “a big reason” why the HIPAA Privacy and Security Rules are not being effectively enforced.  In response to a question by Senator Richard Blumenthal (D-CT),  Myrold speculated, “Until we actually get those final rules and people know that they’re going to actually be enforced, you’re probably not going to see a lot more compliance.”

In his concluding remarks, Franken emphasized that more can be done through existing statutes to enforce medical privacy laws and quoted McGraw’s earlier comments: “We need the regs, we need the regs, we need the regs.”