To date no civil penalties have been administered.

Apgar says HIPAA security regulations are based on a complaint-driven system, which lack the funding, staffing and additional regulations to specifically deal with medical identity theft.

“The majority of privacy issues occur because of a security incident, but people don’t understand that there is no privacy without security,” he says.

He says that laxity in enforcing HIPAA security laws stems from monetary issues. HHS is teaming up with firm PricewaterhouseCoopers in order to conduct random audits at hospitals.

But Apgar is weary of how long this will last if they cannot obtain funding. “If you don’t finance enforcement of rules it really doesn’t matter. Enforcement has been really, really lacking,” says Apgar. This should have been funded from the very beginning, he says.

“Healthcare organizations figure if no one is enforcing it then they do not see a need to spend the money on the security system,” Apgar says.