ProPublica has created and launched a new database, called HIPAA Helper, which allows consumers to search for privacy violations by health care providers. An analysis of the database revealed hundreds of repeat HIPAA offenders between 2011 and 2014,ProPublica reports (Ornstein/Waldman [1], ProPublica, 12/29).
Database Details
To create the database, called HIPAA Helper, ProPublica analyzed data from:
- The California Department of Public Health;
- The Department of Veterans Affairs; and
- HHS' Office for Civil Rights (Ornstein/Waldman [2], ProPublica, 12/29).
The database contains:
- Information about large breaches self-reported by health care providers;
- Privacy incidents recorded by VA; and
- Violations issued by the CDPH.
According to ProPublica, the database allows consumers to more easily search for HIPAA violations by standardizing health care organizations' names. OCR's data often included several different names for one organization, according to the analysis.
Investigation Details, Findings
Meanwhile, ProPublica used the same data pool to examine the number of repeat HIPAA offenders.
ProPublica considered a complaint a HIPAA violation if it resulted in:
- Corrective-action plans submitted by the provider; or
- "Technical assistance" on how to comply with HIPAA provided by OCR.
The investigation found that hundreds of health care organizations and providers across the country repeatedly violated HIPAA between 2011 and 2014.
Between 2011 and 2014, the investigation found the top repeat offenders were:
- VA clinics, hospitals and pharmacies, with 220 violations;
- CVS Health, with 204 violations;
- Walgreen, with 183 violations;
- Kaiser Permanente, with 146 violations; and
- Walmart, with 71 violations.
However, the investigation found that OCR took no punitive action against those providers.
According to ProPublica, OCR has significant flexibility in how it handles complaints, with the majority of issues resolved privately and informally. The agency also can impose fines of up to $50,000 per violation, with an annual cap of $1.5 million.
Reactions
Deven McGraw, deputy director for health information privacy at OCR, said while the agency typically focuses on incidents that affect at least 500 people, more could be done to address providers with repeat violations.
She said, "I don't like the idea of repeat offenders not being called to task for that behavior, and I would like to see us doing more in this regard." McGraw noted that OCR's case management system is being fixed to flag repeat offenders.
Further, Joy Pritts -- a health information privacy and security consultant and former chief privacy officer at the Office of the National Coordinator for Health IT -- said, "The patterns [ProPublica] identified makes a person wonder how far a company has to go before HHS recognizes a pattern of noncompliance."
Meanwhile, Nicolas Terry -- a professor and executive director of the Hall Center for Law and Health at Indiana University's law school -- said OCR has stepped up its disciplinary actions, in part by issuing more fines against providers with larger breaches. However, he said more could be done (Ornstein/Waldman [1], ProPublica, 12/29/15).
