Computers can be added to that list of lost items.

According to privacyrights.org, there were at least 46 U.S. data breaches involving 62 stolen or lost computers at healthcare facilities in 2007, resulting in almost 5 million compromised identities.

Apgar, president of Apgar and Associates, says the HIPAA Privacy Rule doesn’t include any private right of action and was not written for the criminal side, or with medical identity theft in mind. Criminal cases are reviewed by the Department of Justice. In other words Drew could not have sued the hospital under HIPAA, only the federal government can do this.

“I do see this as a flaw,” Apgar says.

It is not that HIPAA complaints filed to the Office of Civil Rights are not taken seriously, they are he said. But it only conducts an investigation against the covered entity; it is not penalizing them for what they have done, or at least not yet.

If OCR finds the hospital is negligible, then the hospital can show voluntary compliance by submitting a plan for necessary corrective action to the U.S. Department of Health and Human Services.

Other cases are simply dropped because for one reason or another they don’t fall within HHS’ jurisdiction.