From the Health Privacy Project:

Yesterday, the U.S. Department of Justice issued a ruling that
significantly weakens the enforcement provisions of the HIPAA (Health
Insurance Portability and Accountability Act) Privacy Rule (see R. Pear,
New York Times, 6/7/05). Under the new ruling, only covered entities
(such as hospitals, doctors, and health plans)and not necessarily their
employeescan be held accountable and prosecuted for criminal penalties
under the Privacy Rule. This is a disturbing reversal and a stunning
contradiction to the first criminal conviction under the Privacy Rule,
whereby an employee of a consortium of cancer hospitals admitted to
wrongful disclosure of a patients personal health information. Outside
of that one criminal conviction and despite more than 13,000 complaints,
the Department of Health and Human Services (HHS) has never issued a
penalty for violations of the HIPAA Privacy Rule. The complaint-driven
enforcement process of the Privacy Rule is already inadequate, but this
ruling dramatically weakens the impact of the law and significantly
limits the recourse patients have when their health information is
illegally accessed, used, or disclosed.

This ruling is particularly distressing as the Bush administration
continues to press for the development of a National Health Information
Network (NHIN)with HHS Secretary Leavitt yesterday announcing the
creation of a new advisory panel to set federal standards for a national
electronic medical record (EMR) system. On the heels of the Secretarys
announcement, the administrations ruling only continues to undermine the
force of the first federal law protecting individuals sensitive health
information. Given the administrations track record and the lack of any
real commitment to ensuring that Americans personal health information
will be protected, the Health Privacy Project (HPP) is seriously
concerned that consumer and privacy advocates will not be fully
represented on the advisory panel. The public is more concerned than ever
about the privacy of their most sensitive information, especially in
light of well-publicized privacy and security breaches at major financial
and marketing firms.

Our fundamental concern is that without a strong and enforceable federal
health privacy law, patients will continue to take steps to protect
themselves from discrimination and stigma by limiting what they tell
their doctors and avoiding health care. Such privacy-protective behavior
is likely to increase if the government presses for an electronic health
network that does not adequately safeguard the privacy and security of
peoples sensitive health information.

[thanks Darby Penney]