ProPublica has created and launched a new database that allows consumers to search for privacy violations by health care providers after an investigation revealed hundreds of repeat HIPAA offenders, Charles Ornstein and Annie Waldman report for ProPublica.
How a vendor put six hospitals' data at risk
To create the database, called HIPAA Helper, researchers from ProPublica analyzed data from:
The database contains data from between 2011 and 2014 on large data breaches self-reported by health care providers to OCR, privacy incidents recorded by VA, and violations issued by CDPH.
According to Ornstein and Waldman, the database allows consumers to more easily search for HIPAA violations by standardizing health care organizations' names. OCR's data often included several different names for one organization, according to the analysis.
Meanwhile, ProPublica used the same data pool to examine the number of repeat HIPAA offenders.
How to share data without breaking HIPAA
ProPublica considered a complaint a HIPAA violation if it resulted in:
The investigation found that hundreds of health care organizations and providers across the country repeatedly violated HIPAA between 2011 and 2014—in some cases over 200 times.
However, the investigation found that OCR took no punitive action against many of the providers who were the most frequent offenders.
According to Ornstein and Waldman, OCR has significant flexibility in how it handles complaints, with the majority of issues resolved privately and informally. The agency also can impose fines of up to $50,000 per violation, with an annual cap of $1.5 million.
Deven McGraw, deputy director for health information privacy at OCR, says that while OCR typically focuses on incidents that affect at least 500 people, more could be done to address providers with repeat violations.
She tells ProPublica, "I don't like the idea of repeat offenders not being called to task for that behavior, and I would like to see us doing more in this regard." McGraw notes that OCR's case management system is being fixed to flag repeat offenders.
Further, Joy Pritts—a health information privacy and security consultant and former chief privacy officer at the Office of the National Coordinator for Health IT—says that "the patterns [ProPublica] identified makes a person wonder how far a company has to go before HHS recognizes a pattern of noncompliance."
Meanwhile, Nicolas Terry—a professor and executive director of the Hall Center for Law and Health at Indiana University's law school—says OCR has stepped up its disciplinary actions, in part by issuing more fines against providers with larger breaches. However, he says more could be done (Ornstein/Waldman, ProPublica, 12/29/15 ; Ornstein/Waldman, ProPublica, 12/29/15 ).
Create your free account to access 2 resources each month, including the latest research and webinars.
You have 2 free members-only resources remaining this month remaining this month.
Never miss out on the latest innovative health care content tailored to you.