Since HIPAA went into effect in 2003, more than 34,000 complaints of privacy violations have been filed. Most of them (about 80%) were quickly resolved; the bulk were simply dismissed. In other cases, a warning was issued, or the matter was pursued in civil court.
About 400 of the unresolved cases have been referred to the federal Department of Justice, but only a handful have been prosecuted. This is likely to change, however, as violations are taken more seriously and as the government gears up for this type of case.
While some HIPAA violations are inadvertent—a stolen laptop with patient records on it, for example, or a computer glitch that reveals information on the Internet, possibly compromising confidential information —Ms. A’s actions struck at the heart of what HIPAA is supposed to avoid. She accessed patient records, gathered information, and then provided that information to someone else, knowing it would be used in a way that was harmful to the patient. The federal authorities prosecuted her to set an example for health-care providers and to warn HIPAA-covered entities that the regulation is serious and must be upheld.
Ms. A’s actions could have put the clinic itself in danger of prosecution, but management handled the situation in the best way possible. Her supervisor fired her on the spot after the patient notified him of the breach. Then, without delay, Dr. P called a meeting to educate staff members—both clinical and clerical—about HIPAA’s provisions, their purpose, the importance of patient privacy, and what can happen in the event of a violation.
It’s important not to wait for an incident to occur. The best way to protect yourself is to be sure you understand HIPAA regulations. If you have a question, ask a supervisor and document the response. If you come across records that make you uneasy or that you find tempting to peek at inappropriately, as Ms. A did, tell a supervisor and find someone else to do the task.
Patient privacy is a serious issue that the courts will continue to treat very seriously in the future. You can’t get lax about it.