Does the lack of imposing civil fines after 19,420 formal grievances mean the HHS is not doing their job? The Washington Post suggests that's the case. Since HIPAA came into force in 2003, the government has reviewed and closed 72% of the potential HIPAA violations filed with the HHS Office of Civil Rights, resulting in just two criminal cases and no civil fines.

"Our first approach to dealing with any complaint is to work for
voluntary compliance. So far it's worked out pretty well," said Winston
Wilkinson, who heads the Department of Health and Human Services'
Office of Civil Rights, which is in charge of enforcing the law.

Not surprisingly most physicians, hospitals and payors appreciate the low key approach to enforcement. It's also no surprise that this approach to has generated vociferous criticism from privacy advocates and some health industry analysts.

"The law was put in place to give people some confidence that when they
talk to their doctor or file a claim with their insurance company, that
information isn't going to be used against them," said Janlori Goldman,
a health-care privacy expert at Columbia University. "They have done
almost nothing to enforce the law or make sure people are taking it
seriously. I think we're dangerously close to having a law that is
essentially meaningless."

Actually, the law was put into place to provide a uniform privacy standard to take the place of a plethora of different state laws. Buried in paragraph 12 we learn the feds have referred 309 possible criminal violations to the Justice Department.

Recent studies have shown that one of the general public's chief concerns about electronic medical records is concerns about privacy. But, just what are the risks? Hmm, let's see, there's identify theft - that's a real concern. And, ah, mmm, well... oh yes, authorities need a subpoena or search warrant to access your medical records - but they had to do that before HIPAA. I've heard the scenario where payors would love to see the results of genetic testing so they could terminate your coverage due to genetic risk factors - but if you submit the test for reimbursement, they already get access to the study and results.

"The law came about because there was a real problem with people having
their privacy violated -- they lost jobs, they were embarrassed, they
were stigmatized. People are afraid. The law was put in place so people
wouldn't have to choose between their privacy and getting a job or
going to the doctor," said [Janlori] Goldman [a health-care privacy expert at Columbia University], who also heads the Health Privacy
, a Washington-based advocacy group. "That's still a huge

We know that is not why HIPAA came about. And to suggest that health care providers are gossip mongers regarding their patients, willing to divulge clinical information (like the results of a paternity or HIV test) for fun or cash, is not supported by the facts. These data and situations have always been handled seriously by providers. Sure there have been exceptions, and when they occur to my knowledge they've been treated with the import and concern they deserve - with results ranging from terminations (of the disclosing party) and legal action. This whole "controversy" seems to be just one step above RFID paranoia.