Dive Brief:
- ProPublica has created and launched a new database, HIPAA Helper, to allow consumers to search privacy violations by providers. Names of providers have been standardized to make the searches easier to conduct.
- The database also includes large breaches self-reported by healthcare providers to the Office for Civil Rights, privacy incidents logged by the VA as well as violations cited by the California Department of Public Health - which has the authority to impose its own fines when hospitals violate patient privacy.
- ProPublica's investigation of repeat HIPAA offenders between 2011 and 2014 found the following top offenders: VA clinics, hospitals and pharmacies (220 violations), CVS Health (204), Walgreens (183), Kaiser Permanente (146), and Walmart (71).
Dive Insight:
Other offenders in the database include LabCorp, Quest Diagnostics, Express Scripts, Rite Aid, and United Healthcare.
The group's investigation also found the Office for Civil Rights (OCR) chose not to take any punitive action against the providers although it can impose fines up to $50,000 per violation with a yearly cap of $1.5 million. OCR has flexibility in handling complaints and usually resolves issues privately, according to ProPublica.
Deven McGraw, deputy director for health information privacy at OCR, said, "I don't like the idea of repeat offenders not being called to task for that behavior and I would like to see us doing more in this regard," adding the agency's case management system will soon flag repeat offenders.
In order to examine the number of repeat HIPAA offenders, ProPublica considered a complaint a HIPAA violation if it results in corrective-action plans submitted by the provider, or "technical assistance" on how to comply with HIPAA was provided by OCR.
Joy Pritts, former chief privacy officer at ONC, said, "The patterns (ProPublica) identified makes a person wonder how far a company has to go before HHS recognizes a pattern of noncompliance."