The following HTML text is provided to enhance online
readability. Many aspects of typography translate only awkwardly to HTML.
Please use the page image
as the authoritative form to ensure accuracy.
Engaging Privacy and Information Technology in a Digital Age
under what circumstances.7 Whether this confusion merely reflects a transitional effect between pre-HIPAA and post-HIPAA regimes remains to be seen.
The requirement for training has been seen by some as a way of changing the culture of the medical provider profession in a way that is positive albeit costly. The impact on researchers, especially those wishing to do large-scale and long-term investigations across sets of medical records, is currently unknown; however, the formulation of the privacy regulation has created a mechanism for dialog between researchers and regulators.
Finally, there remains the question of enforcement of HIPAA’s privacy regulations. In June 2006, the Washington Post reported that in the 3 years since the HIPAA regulations went into force, thousands of complaints alleging violations have resulted in two criminal prosecutions, no civil fines, and many agreements to fix problems that may have occurred without any penalty.8 These complaints have included allegations that personal medical details were wrongly revealed, information was poorly protected, more details were disclosed than necessary, proper authorization was not obtained, and that patients were frustrated in obtaining their own records. One administration official was quoted as saying that “our first approach to dealing with any complaint is to work for voluntary compliance.” Critics have asserted, however, that a lack of aggressive enforcement has made providers and insurers complacent about complying.
In the long run, an enforcement regime of some sort is likely to be needed to ensure substantial compliance with the regulations. But as with the confusion about the circumstances under which what personal health information may be provided to which parties, the long-term results of the current approach to compliance remain to be seen.
7.3.3 Patient Perspectives on Privacy
As noted above, HIPAA mandates a number of privacy protections for personal health information. The concept of informed consent is important to these protections, and thus health care providers are required to