HIPAA privacy rule: Is it time for (re)reform?

Kaiser's Health Policy Daily has a nice summary of a Wall Street Journal article (link good for 7 days) on HIPAA's privacy loopholes that appeared the day after Christmas:

"[I]ncreasingly complex confidentiality issues" in federal medical privacy rules "are affecting patients and their insurance coverage," the Wall Street Journal reports. According to the Journal, complaints of privacy violations "have been piling up." Between April 2003 and Nov. 30, 2006, HHS received 23,896 complaints related to medical-privacy rules. An HHS spokesperson said 75% of those complaints have been closed because no violations were found or informal guidance was provided to involved parties. Since HIPAA was enacted in 2003, HHS has not taken enforcement actions against any entity for violating the privacy rule. The Journal profiled attorney Patricia Galvin, who was denied disability benefits after her health insurer, UnumProvident, accessed notes from psychotherapy sessions at Stanford Hospital & Clinics. According to the Journal, UnumProvident said the notes indicated that Galvin was not "too injured to work" after she was involved in a car accident and applied for long-term disability leave. UnumProvident had asked Galvin to sign a broad release to access her basic medical records, which included some of the psychotherapist's notes about Galvin that Stanford had scanned into its computer records system. Galvin has filed a lawsuit against Stanford and UnumProvident for violating medical privacy laws, among other issues, under the federal Health Insurance Portability and Accountability Act. HIPAA includes added protection for mental health records, but Stanford in court papers said that "psychotherapy notes that are kept together with the patient's other medical records are not defined as 'psychotherapy' notes under HIPAA." Peter Swire, a law professor at Ohio State University who helped write the regulations, said, "We're three years into the enforcement of the rule, and they haven't brought their first enforcement initiative." He added, "It sends the signal that the health system can ignore this issue" (Francis, Wall Street Journal, 12/26/06).