The requirement to safeguard information must be supported by real and severe penalties for violations. Federal legislation should include punishment for those who misuse personal health information and redress for people who are harmed by its misuse. Specifically:
- There should be criminal penalties (including fines and imprisonment) for obtaining health information under false pretenses, and for knowingly disclosing or using medical information in violation of the Federal privacy law.
- Penalties should be higher when violations are for monetary gain.
- When there is a pattern or practice of unauthorized disclosure or other violations, there should be civil monetary penalties.
- Any individual whose rights under the law have been violated, whether negligently or knowingly, should be permitted to bring an action for actual damages and equitable relief. For knowing violation attorney's fees and punitive damages also should be available.
Only if we put the force of law behind our rhetoric can we expect people to have confidence that their health information is protected, and ensure that those holding health information will take their responsibilities seriously.