Image of nurses' hands at computer keyboard

Federal regulatory officials still have not issued any fines for violations of new medical privacy rules first issued five years ago. This despite 38,000 individuals having filed complaints with the Department of Health and Human Services’ Office for Civil Rights, according to a Des Moines Register analysis of state and federal records.

More than half (56%) of the complaints about the privacy rules-which come under the Health Insurance Portability and Accountability Act-were resolved without investigation, the newspaper reported. Less than 2% (just 437) of the complaints were referred to federal investigators.

“There are no HIPAA cops out there looking for violations,” said Abner Weintraub of the HIPAA Group, an Orlando-based consulting group. “Enforcement at the Office for Civil Rights is virtually nonexistent. Technically, they’ve still not issued a single fine — not even down to the $100 level, and they could toss those around like candy, if only to wake people up about the seriousness of compliance.”

One of the biggest problems is that providers do not have to report internal violations, Weintraub said: “This is a tremendous loophole. Enforcement is left to the healthcare community to sort of self-police itself, and to the Office of Civil Rights, which has done virtually nothing.”

An OCR spokeswoman said her office resolved nearly 7,000 complaints through corrective action orders, “the most effective way to obtain industry compliance with the privacy rule.”