Share this article on:
ProPublica has created a database of healthcare organizations that have violated patient privacy to make it easier for consumers to find repeat HIPAA violators. The biggest offenders have now been exposed.
Since late 2009, the Department of Health and Human Services’ Office for Civil Rights (OCR) has been publishing self-reported data breaches suffered by HIPAA-covered entities. The list of data breaches, often referred to as OCR’s “Wall of Shame” currently list 1425 data breaches dating from October 21, 2009.
Some healthcare organizations have suffered a single data breach, while others have suffered more. However, it is difficult to quickly ascertain how many breaches have been suffered by a particular entity. Not all data breaches are listed under the same company name. A search for a particular healthcare provider may reveal just one breach has been suffered, when in actual fact a great deal more have occurred.
One good example of a bad example is CVS Health; a search for which would produce one result: A 12,914 record breach suffered this year. A search for CVS Caremark would reveal four breaches, but not the 12,914-record breach.
The OCR wall of shame also only lists data breaches that have exposed the records of more than 500 individuals. In actual fact, CVS has breached HIPAA Rules and violated patient privacy on numerous occasions. 204 to be exact, according to the latest figures from a ProPublica study.
ProPublica Study Reveals the Regular HIPAA Violators
ProPublica recently conducted an investigation to determine the extent to which organizations are violating HIPAA rules and have accidently disclosed Protected Health Information (PHI). In order for ProPublica to find the biggest HIPAA violators, researchers had to do some digging. Data was taken from the OCR breach reporting portal, the Department of Veteran Affairs, as well as information from the California Department of Public Health. A database of information was ten compiled containing the information from all of these sources.
ProPublica also standardized the names of the organizations in the database to make searching easier. After compiling and collating all of the data, ProPublica researchers then assessed whether HIPAA violations had occurred.
The Real Wall of Shame: Repeat HIPAA Violators Identified by ProPublica
Determining whether HIPAA had been violated is complex, although for the purposes of the investigation a HIPAA violation was deemed to have occurred if a breach of PHI resulted in a corrective action plan being issued by OCR, or if technical assistance was provided. Using data from between 2011 and 2014, and classifying HIPAA violations in this manner, ProPublica was able to produce a list of quite startling figures.
|Organization||Number of Complaints Received (2011-2014)|
|Dept. Veteran Affairs Clinics||220|
What Are These Regular Patient Privacy Violations?
Cyberattacks and cases of insider theft do occur; however, in the majority of cases these privacy violations were relatively minor and exposed just one or two records.
The monthly reports submitted by the Department of Veteran Affairs to congress detail many privacy violations, although the majority fall into the same categories. Patient A receives a prescription or letter for patient B, for example.
Complaints are made regarding these privacy incidents and OCR investigates, but these incidents only result in at worst a corrective action plan being issued. Never a fine. In the case of the above complaints, the organizations in question have been warned on numerous occasions. When complaints are made, the companies in question do investigate. Action is taken and further training is given to employees for example, but the mistakes continue to be made.
The number of complaints received suggest that too little is being done to correct the core issues that are leading to these privacy violations.
The organizations are told by OCR that they may face an investigation if similar privacy violations occur in the future, but noting appears to be done since the same violations occur time and time again. Patients receive prescriptions intended for others, faxes are sent to the wrong people, and patients medical conditions are accidentally disclosed to others.
However, although errors are made that result in privacy violations of just one or two individuals, the consequences for those people can be highly serious, arguably more so than some of the larger data breaches that OCR has issued fines for.
A stolen unencrypted laptop computer containing patient data could potentially place patients at risk of suffering identity theft, but the disclosure of a serious medical condition to a neighbor –HIV for example – could have far more severe consequences for the patient, and potentially could result in that individual suffering far greater harm.
OCR Addressing Issues That Allow Repeat HIPAA Violators to Go Unpunished
OCR has previously been criticized on numerous occasions for failing to take action over HIPAA violations. However, with so many violations occurring, OCR is unable to fine all organizations for every violation that occurs. Efforts have therefore been concentrated on the most serious offences, such as those that have resulted in the most patient records being exposed, or when investigations have uncovered multiple Privacy and Security Rule violations.
Only one fine for a data breach involving fewer than 500 records has been issued by OCR: A $50,000 financial penalty for the Hospice of North Idaho following the theft of an unencrypted laptop computer containing 441 patient records.
Small data breaches should be taken into consideration when deciding whether a financial penalty is appropriate. Walgreen, for instance, has had 183 complaints filed for privacy violations, yet it has escaped a financial penalty. A complaint does not necessarily mean that HIPAA has been violated, or that patient privacy has been, but when complaints number in the hundreds it strongly suggests this to be the case.
If numerous small breaches have in fact been suffered, it would indicate that HIPAA rules are not being followed. While OCR has claimed it looks at previous offences when investigating covered entities for larger breaches, OCR’s systems do not permit full searches to be conducted in many cases, as highlighted by a recent OIG audit.
The audit revealed that OCR staff do not always check to find out if an organization has suffered multiple breaches in the past, or even if action has been taken against the organization before. OCRs systems lack the capability to accurately search for past violations and enforcement actions.
Following the publication of the OIG report, OCR has said that it plans to tackle the problem and will be implementing a new system that allows accurate searches to be conducted. Healthcare organizations that repeatedly violate HIPAA rules should therefore not be able to escape so lightly in future.
VA clinics, CVS Health, Walgreen, Kaiser Permanente and Walmart in particular will therefore have to up their game and do more to prevent privacy violations from occurring or they may face serious fines.
In the meantime, consumers will now be able to make an informed decision about where they take their business. The threat of loss of business as a result of privacy violations may be the catalyst that is needed to make sure that healthcare organizations do more to tackle repeat privacy violations. Hopefully repeat HIPAA violators will be urged to take action.
The ProPublica database – called the HIPAA Helper – can be accessed on the following link – HIPAA Helper