When Congress passed the Health Insurance Portability and Accountability Act (“HIPAA”) in 1996, the Office for Civil Rights (“OCR”) of the Department of Health and Human Services (“HHS”) was charged with enforcing regulations intended to protect the privacy of health information. Although the premise of HIPAA was to allow a patient to safely assume that what was said in an examination room stayed in the examination room, a recent article in The Washington Post has revealed that the enforcement of HIPPA regulations is falling short. For example, in 2014 alone, OCR received approximately 18,000 HIPPA complaints, but only brought 6 formal actions. Moreover, the law does not allow patients a private right of action to sue an offending health care provider and OCR has admitted that repeat offenders are not tracked.
Solutions to protecting patient and consumer health care information, in large part, do not require legislative action. For example, OCR could use the tools already at its disposal to levy punitive damages on repeat offenders, which would incentivize businesses to protect patient data. Furthermore, in the long run, a “whistleblower” mechanism, such as a qui tam action under the False Claims Act, could incentivize HIPPA compliance, although such an action would involve Congressional approval.