In a string of meetings and press releases, the federal government's health watchdogs have delivered a stern message: They are cracking down on insurers, hospitals and doctors offices that don't adequately protect the security and privacy of medical records.
"We've now moved into an area of more assertive enforcement," Leon Rodriguez, then-director of the U.S. Department of Health and Human Services' Office for Civil Rights, warned at a privacy and security forum in December 2012.
But as breaches of patient records proliferate — just this month, insurer Anthem revealed a hack that exposed information for nearly 80 million people — federal overseers have seldom penalized the health care organizations responsible for safeguarding this data, a ProPublica review shows.
Since October 2009, health care providers and organizations (including third parties that do business with them) have reported more than 1,140 large breaches to the Office for Civil Rights, affecting upward of 41 million people. They've also reported more than 120,000 smaller lapses, each affecting fewer than 500 people.
In some cases, records were on laptops stolen from homes or cars. In others, records were targeted by hackers. Sometimes, paper records were forgotten on trains or otherwise left unattended.
Yet, over that time span, the Office for Civil Rights has fined health care organizations just 22 times.
"It's disappointing and underwhelming," said Bob Chaput, founder and chief executive of Clearwater Compliance, which helps health care organizations create programs to protect sensitive information. "They're not doing as much as they could or should."
The Office for Civil Rights declined an interview request from ProPublica, but said in a statement that it "aggressively" identifies and investigates "high-impact cases that send strong enforcement messages about important compliance issues." The agency looks into all large data breaches, a spokeswoman wrote in an email, and the cases resulting in financial penalties "have involved systemic and/or long-standing" concerns.
The agency's stiffest sanction to date came last May, when it hit New York-Presbyterian Hospital and Columbia University with fines totaling $4.8 million for failing to secure the electronic health records of 6,800 people. A physician had tried to remove his personal computer server from a shared network, causing patient records, including patient status, vital signs, medications and lab results, to be found on Web search engines. The problem surfaced when a person found a deceased partner's personal health information online.
The federal government has played a growing role in health privacy and security since the passage of the Health Insurance Portability and Accountability Act, or HIPAA, in 1996. The law mandated standards for the use and dissemination of health care information and for how organizations protect electronic medical records.
In 2009, the Health Information Technology for Economic and Clinical Health Act, known as the HITECH Act, went a step further. It required that organizations publicly report breaches involving at least 500 patients, increased how much HHS could fine organizations that violate patient privacy and record security, mandated that HHS conduct audits, and extended the rules to third parties that work with health care organizations.
But since then, even HHS' inspector general has been critical of the way in which the Office for Civil Rights has used its authority. In November 2013, the inspector general faulted the agency for not performing audits mandated by the HITECH Act.
A first, pilot set of audits, conducted in 2011 and 2012, showed that 102 of the 115 organizations reviewed had at least some problems with security or weren't following rules to safeguard patient privacy. A larger follow-up round of audits is only now getting underway, experts say.
Some industry veterans say the Office for Civil Rights is trying to strike a balance between working with organizations to improve their security and punishing truly egregious lapses. Health providers often agree to make voluntary changes even if they're not fined, the agency has said.
"What you don't want [the Office of Civil Rights] to become is somebody like your parking enforcement where they're funding themselves by issuing tickets or fines to everybody who has the smallest infractions," said Joy Pritts, who until last year served as chief privacy officer for the federal Office of the National Coordinator for Health Information Technology.
Data security experts also say the Office for Civil Rights simply does not have the resources to handle its oversight responsibilities. While it can keep whatever fines it imposes to use for enforcement, it has fewer than 200 employees and a budget of just $39 million. Its duties, by comparison, are vast: Each year, it handles over 4,000 discrimination complaints, reviews 2,500 Medicare provider applicants to see if they are complying with federal civil rights requirements, and resolves more than 15,000 complaints of alleged HIPAA violations. The president is seeking a budget increase for the agency next year.
"They're swamped," said Dan Berger, chief executive of Redspin, an IT security company that issues an annual report on trends in large data breaches.
Some organizations currently under review by HHS say they don't know the status of their cases. In 2012, the state of Utah disclosed that hackers gained access to a server that stores data on Medicaid and children's health insurance claims. Social Security numbers of 280,000 people and less-sensitive information on 500,000 others were accessed.
Since then, the state health department has had three official interactions with the Office for Civil Rights, the last coming in May 2014. "It's hard to tell where we are in the process," said Tom Hudachko, an agency spokesman. "We thought there would have been resolution by this point."
Some security experts say that the government needs to use its authority to impose fines to send a message. Bruce Schneier, a computer security expert and blogger, compared the situation to environmental pollution.
"If the cost of polluting is zero, companies will pollute. How would a rational company not do that?" he said. "If your CEO said we're going to spend four times as much money not to pollute, he would be fired. What you need is to make security rational."
Help us investigate patient privacy by sharing your story. Also read our story about how a real-life medical show filmed a man's death without his permission.
ProPublica is a nonprofit investigative reporting newsroom based in New York.