More Details of Senate Blasting of HIPAA Enforcement

In my November 14, 2011, post, I reported that the Senate Judiciary Subcommittee on Privacy, Technology, and Law had recently held a hearing to discuss federal enforcement of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”). Since that post, more details of the hearing have surfaced.

As I had mentioned in the earlier post, Subcommittee Chairman Al Franken (D-MN) told officials from the Department of Health and Human Services (“DHHS”) and the Department of Justice (“DOJ”) that “the overall record of [HIPAA] enforcement is simply not satisfactory.”

Witnesses included U.S. Attorney Loretta Lynch and Leon Rodriguez, Director of the HHS Office for Civil Rights (“OCR”). Both officials underscored their agencies’ commitment to enforcing medical privacy laws. Lynch testified about DOJ’s efforts to enforce HIPAA’s criminal provisions, while Rodriguez cited OCR cases against Massachusetts General Hospital and CVS/Rite Aid that led to $1 million and $2.25 million fines.

Franken responded that, although DOJ and OCR may be increasing enforcement, the lack of enforcement in the vast majority of cases was “simply not satisfactory” with only one formal fine and six settlements out of more than 20,000 complaints. DHHS had referred 495 HIPAA complaints to DOJ, but these referrals had led to only 16 HIPAA prosecutions.

Franken found the lack of final HITECH regulations to be significant problem. See “Your Health and Your Privacy: Protecting Health Information in a Digital World” on the United States Senate Committee on the Judiciary website for more information.

Committee member Senator Coburn noted that he has sponsored a bill, S. 1535, the Personal Data Protection and Breach Accountability Act, that would extend HIPAA protections to health data held by companies that are not currently covered by HIPAA and increase the penalties for violations. See the article on the AISHealth website at The full text of the bill is at

seo by: k.c. seo