Two years ago, when Bill Clinton had heart surgery performed in New York's Columbia Presbyterian Medical Center, 17 hospital employees -- including a doctor -- peeked at the former president's health care records out of curiosity. Earlier this year, Boston-based Brigham and Women's Hospital repeatedly faxed patient admission sheets to a nearby bank by accident. The faxing continued even after bank employees warned the hospital. In Hawaii, Wilcox Memorial Hospital lost a thumb drive containing personal information on every one of its 120,000 current and former patients.

None of the institutions involved in these incidents has been fined under the highly touted medical privacy law, known as HIPAA (Health Insurance Portability and Accountability Act).

In fact, there have been 22,664 HIPAA privacy-related complaints filed since the privacy rule took effect in 2004, and not a single institution has been fined for privacy lapses, according to the Department of Health and Human Services, which enforces HIPPA. It's not clear that any of the three incidents above generated HIPAA privacy complaints, so the total number of privacy-related incidents is no doubt higher.

Health privacy advocates are crying foul. One even calls HIPAA a "charade."

"It's a huge charade imposed on the public at great expense," said Twila Brase, president of the Citizens' Council on Health Care, a Minnesota patient-rights group. "The real scandal ... is that they called it a privacy rule."

Read MSNBC.com's special series "Privacy Lost"

Anyone who's been to a doctor's office or a hospital in the past three years knows HIPAA, even if they don't know it by name. Patients are now asked to sign an elaborate privacy information sheet when they first arrive at a medical practitioner's office. The form lists in detail consumers' rights to keep their health care information private; but it often seems to confuse the patients. A California HealthCare Foundation study released last year found that only 59 percent of consumers recalled having received the form, and of those, only one-quarter believed that HIPAA gives them additional rights.

Perhaps they're just using common sense, says Kate Borton, former head of security at Massachusetts General Hospital in Boston.

"I don't think (federal agencies) are taking this all that seriously," said Borton, now president of health privacy consulting firm The Marblehead Group. "Enforcement is a farce. ... There is no funding for what we call the HIPAA police. It's a joke because there aren't any HIPAA police."

'Informal' action work, agency says
Officials at the Department of Health and Human Services bristle at this measurement of HIPAA's success. They argue that the agency has used "informal means" to correct 76 percent of complaints about privacy deficiencies at hospitals and medical offices.

"Since our compliance effort began we have resolved thousands of cases through corrective actions," said a spokesman for the agency, who asked not to be identified because of agency policies. "We believe it's inappropriate and misleading to focus exclusively on lack of monetary penalties as a measure of the degree of compliance."

A process of informal resolutions from the agency, spurred by consumer complaints, has been well-received by health providers, who quickly amend their faulty processes, he said. "Those resolutions bring the benefits of the privacy rule to consumers much more quickly than the adversarial process of civil monetary penalties," the spokesman said. "It encourages cooperation."

The system could be compared to old-fashioned community policing, where a cop who lives in the neighborhood and walks the beat might knock on your door and give you give you five minutes to move your illegally parked car before giving you a ticket.

Only, at the Department of Health and Human Services, there are no cops walking the beat. HIPAA enforcement is entirely "complaint-driven," the agency indicated in its enforcement directive, published last year. And regulators were directed to always offer voluntary compliance terms first.

But the HHS spokesman said health providers are aware that such a friendly conversation could turn sour -- and cost money -- if they don't quickly respond to a complaint. "We are prepared to use our civil monetary penalty authorization in appropriate cases," he said.

'I don't think that's effective'
Privacy experts are skeptical. After nearly 23,000 complaints and no fines, many wonder if the system is really working as designed.

"An informal call from a regulator, we think that's an appropriate use of resources. But we have no reason to believe they have structured follow-up processes," said Paul Feldman, deputy director of the Health Privacy Project, health care think tank based at the Georgetown University Institute for Healthcare Research and Policy. "They will tell you they use a robust system of voluntary compliance, that they close three-quarters of the cases. … I'll leave it to your readers to decide if that's effective."

Still, Feldman believes HIPAA has at least moved the ball forward for patients, who previously had no formal way to complain about health care privacy problems. Today, the Office of Civil Rights in the Department of Health and Human Services has a structured mechanism for complaints, a step in the right direction.

And not everyone is critical of the HIPAA enforcement track record.

"It's hard to figure out if 22,000 is a big number," said Kirk J. Nahra a health care privacy law expert at the Wiley Rein & Fielding law firm in Washington, D.C. "There are a number of complaints that were thrown out because they involve things that have nothing to do with HIPAA.

"They've seen people trying to do the right thing and fix the problem if there was a problem. I don't see the conclusion that a lack of penalties … equates to people not paying attention to the rule."

A 10-year-old law
HIPAA dates to a federal law passed back in 1996, governing a wide variety of health records initiatives. The law directed Congress to enact additional privacy legislation, but federal lawmakers have so far failed to do so. Instead, Health and Human Services was directed to create this privacy regulation as a stop-gap measure. HIPAA's privacy rule took effect in April 2003.

In addition to the new paperwork for patients, the regulation created red tape for health care providers, who were required to create and track the privacy notices. Some say it also created paranoia for nurses, doctors and volunteers. Many health care firms read their employees the riot act over sharing any medical information at all, and in some cases, there have been over-reactions to the possibility of HIPAA fines. Family members sometimes have trouble sending flowers to hospitalized loved ones, for example, says patients' advocate Brase.

It's something she calls the "HIPAA hassle." The paranoia and confusion led the Health Privacy Project to create and publish a list of HIPAA myths.

But despite all that anxiety, complaints haven't led to any visible action by HHS, making privacy advocates like Brase wondering what's going on.

"The public thinks there's some sort of rule here," she said. "But it's a smokescreen."

Top complaints
HHS doesn't disclose details specific complaints, but Hadley said the allegations fall into five broad categories:

•Impermissible use or disclosure of an individual's health information, the most common complaint;
•A lack of adequate safeguards, such as unlocked doors or a computer screen facing a waiting room;
•Refusal or failure to provide an individual with access to or a copy of his or her records;
•Disclosure of more information than is minimally necessary to perform a health-related task;
•Failure to have an individual's valid authorization for disclosure.

In complaints, patients have described everything from unlocked cabinets containing personal information to nurses who announce patient data too loudly in waiting rooms. Other incidents involving data security, such as lost laptop computers with health information, are redirected to a different office at Health and Human Services, and governed by a separate security rule at the agency.

The Health Privacy Project, based in Washington D.C., offers far more detail in its collection of patient privacy nightmare stories -- an alarming 25-page document that summarizes hundreds of patient records thefts that have made headlines since implementation of HIPAA.

Tales range from bizarre to overwhelming. In one case, a retired school teacher was repeatedly called by a hospital that demanded she pay for amputation of her right foot; even though she still had both feet.

In another, Providence Health System in Oregon revealed that a burglar stole computer equipment containing health records on 365,000 patients from an employee's van.

HHS can do more than issue civil penalties; it can recommend the Department of Justice bring criminal charges against hospitals and other health care providers. So far, 332 criminal cases have been referred, but there have been only three prosecutions, all against individual health care workers. Justice spokesman Charles Miller said he couldn't discuss the status of the other cases.

What concerns Feldman most is the erosion of faith and trust if the public perceives that health information is not being carefully guarded or that privacy laws are not being enforced. Patients who don't believe their confidentiality will be preserved are less likely to tell their doctors about sensitive health matters -- to admit to occasional drug and alcohol use, for example – and that could endanger their care, he said.

But beyond that, faith in health record privacy is a critical component of the coming national electronic health record system. The Bush administration has established a goal that half of Americans have an electronic health record by 2014. At its best, the system would be a boon for patients and for researchers, who could conduct more accurate and immediate studies.

But if designed poorly, it could ease the work of identity thieves, voyeurs and other lurkers, who could steal or view records from any part of the system. To get the public to willingly participate, patients must have a lot of faith in health privacy. Lax enforcement of current rules could imperil future data sharing programs, Feldman said.

"(The system) can be brilliant," he said. "But we are looking for brilliant and protective."

It's privacy week at MSNBC.com. We've tried to examine that very complex topic from many angles in the hopes of beginning a wider dialog on the subject. We only lightly touched on privacy's twin subject -- the yin of privacy's yang – security. A deeper look at that subject will come in the coming weeks and months.

Suffice to say that we have all been asked to surrender some of our privacy with the promise of increasing our level of security.

But have we succeeded in making ourselves safer? Last week's tragic death of Yankees pitcher Cory Lidle in a New York City airplane crash raises this issue. Are all Americans being asked to make the same sacrifices in the name of security? Lidle's ill-fated flight suggests a disturbing answer. To get there, we must ask this obvious question: How could someone fly a plane into a New York City high-rise without anyone knowing that an aircraft was there?

For a frantic two hours last week, I watched and listened as NBC aviation producer Jay Blackman and aviation correspondent Tom Costello tried to understand what happened when an unidentified small aircraft struck a Manhattan apartment building. Initial reports suggested it was an accident, but that's what the initial reports indicated on Sept.11, 2001, too. As billowing thick smoke blocked most views of the damaged building, no one knew what to think.

The mystery of the missing aircraft was just as thick. The FAA initially had no comment on the aircraft – where it was going or where it came from. No nearby airports reported any missing aircraft. No air traffic controller reported losing a plane. No one seemed to have any idea where this plane was headed, feeding fears that foul play could be involved.

Then, an unexpected answer began to emerge. Blackman learned that the pilot was flying under visual flight rules, so no flight plan was necessary. It was possible -- even likely -- that no air traffic controller had been in contact with the pilot before the crash.

How could that be? The obvious question was followed by loud debate among aviation experts in the newsroom. There were no such free flight zones over Manhattan, some argued. How could there be? With images of planes flying into buildings seared into the minds of New Yorkers, could any area around America's most densely populated city be open to any small aircraft that someone chose to fly there?

The answer, to much amazement, was "yes."

A Wild West for pilots
No one knew this plane would be flying around New York's precious monuments and high-rise buildings because no one had to know. Until last week, anyone could fly a plane over New York's Hudson and East Rivers unannounced, so long as the pilot maintained a low altitude and stayed over the rivers. This area around New York City was essentially a Wild West for pilots. No need to check in with government air traffic cops; no need to fill out the paperwork.

I know this might sound like a New York story, but it's not. It's a story about a double-standard. Behind much of America's security plans, you'll find this sad truth: The masses are being subject to incredible inconveniences, and worse, but not everyone is being treated the same.

Until recently, you or I couldn't take a bottle of water or a tube of toothpaste on an airplane. Mothers were forced to drink their babies' milk. Elderly women were subject to humiliating pat-down searches. And yet hobby pilots had free run of the sky around Manhattan.

Security in America is a dangerous farce; it's busywork for tens of thousands of Transportation Security Agency officials, harassment for innocent Americans and full of holes that any slightly determined terrorist could drive an explosive-laden truck through. We are worrying about the wrong things.

After the crash, numerous New York politicians took to the airwaves castigating the FAA for its lax airspace rules. There was one significant exception. New York Mayor Michael Bloomberg, himself a hobby pilot, defended the FAA. His was a vote essentially in support of these more informal flight rules.

The position is indefensible. Let me rephrase it: Patting down grandma is fair game; forcing some paperwork onto a pilot flying into the most vulnerable, populated place in America is not? That's madness.

More important, it's a terrible double-standard.

No hassles for the priveleged
Look more closely at America's security and you'll see many examples of such elitism. It starts with elite frequent fliers, who don't have to stand in long security lines at airports. All the plebes do.

On July 23, 2003, New York City Council candidate Othniel Boaz Askew was able to shoot and kill council member and rival James Davis with a gun in school headquarters at City Hall, even though entrance to the building required a trip through a magnetometer. How? Askew used his politicians' privilege -- a courtesy wave around from security guards at the magnetometer.

An isolated incident? Hardly. In 2002, undercover investigators from Congress' auditing arm, the General Accounting Office, used fake law enforcement credentials to get the free pass around the magnetometers at various federal office buildings around the country.

What we see here is class warfare on the security battleground. The reaction to Sept. 11 has led to harassment, busywork, and inconvenience for us all – well, almost all. A select few who know the right people, hold the right office or own the right equipment don't suffer the ordeals. They are waved around security checkpoints or given broad exceptions to security lockdowns.

If you want to know why America's security is so heavy on busywork and inconvenience and light on practicality, consider this: The people who make the rules don't have to live with them. Public officials, some law enforcement officers and those who can afford expensive hobbies are often able to pull rank.

Class warfare isn't new. But in this form it is dangerous. By paying attention to the wrong things – grandma at the airport – we are ignoring the right things – identifying the most dangerous people. By training an army of low-paid workers to harass us all at airports by taking away our cologne, we aren't doing the right things – hiring, training and rewarding an elite force of employees specially equipped to keep those who would hurt us off our airplanes and away from our bridges and tunnels.

As written earlier in this space, while we lavish billions of dollars on high-tech security projects of dubious efficacy -- such as massive data mining of phone records or telephone calls -- we put ourselves at risk by adopting a very false sense of security.

If you doubt these misplaced priorities, think about the small fleet of aircraft that have buzzed by New York City buildings freely since 9/11. Then think about all the nail clippers and makeup you've been asked to surrender before boarding an airplane.

Only days after the Cory Lidle plane crash, the FAA did an about-face on its New York airspace rules. Now, pilots who want to fly along the East River -- that is, along Manhattan's east side -- must file a flight plan. No one can fly there now unless under direct control of an air traffic cop. That rational step is five years to late, but a step in the right direction.

Does the ruling signal a change in approach on America's security? Does it suggest my double-standard theory might be wrong?

The FAA was silent on the issue of airspace along Manhattan's west side. So small planes still have free run of the Hudson River. Now there's a double-standard, even from one side of Manhattan to the other.

But even if the case could be made for a double-standard, that there's no risk to allowing some people to enjoy a brisker walk through airport security checkpoints, the case can't be made for irrational security rules. Allowing planes to fly unannounced anywhere near New York City is pure foolishness, but I believe is indicative of an administration that seems more interested in keeping the masses confused, scared and busy than one that's ready to take the most basic steps to make us safer.