The Department of Health and Human Services (HHS) has been found to investigate under a quarter of the total medical privacy complaints filed against organizations covered by the Health Insurance Portability and Accountability Act (HIPAA), according to a report issued by the Melamedia group.

From April 2003 to Sept. 2006, HHS received 22,664 complaints at its Office for Civil Rights (OCR). During that time just 5,400 (23.8 percent) were deemed to merit further investigation or action, according to agency statistics.

Of the 5,400 complaints that were pursued, OCR took informal action in 3,700 cases. Of the remaining 1,700, OCR found that the covered healthcare organization named in the complaint had not violated the HIPAA privacy rule, according to the report.

“These statistics raise a lot more questions than they answer,” said Dennis Melamed, editor and publisher of the organization’s newsletter for which the report was produced. “For example, does this mean that concerns over medical privacy are overblown? Or does it mean that the HIPAA privacy rule does not cover everyone it should? Or does it mean that the country got lucky and that the healthcare community has been protecting patient confidentiality but just didn’t have a way to prove it until HIPAA came along? We just don’t know,” he added.

Melamed stated that he feels that the debate over electronic health records appears to have completely ignored the nation’s experience with HIPAA. “HIPAA created electronic transaction standards, which can reasonably be viewed as the first-born of electronic health records. However, few people appear to recognize that.

“Even more puzzling is why there has been no discussion of the HIPAA data security complaint system run by the Centers for Medicare and Medicaid Services (CMS),” Melamed said. ”This complaint system is focused exclusively on the security of electronic health records.”