Dive Brief:
- A ProPublica investigation found that CVS, the Veterans Administration, and other large healthcare providers repeatedly violated federal patient privacy law, but were not reprimanded.
- HHS’ Office for Civil Rights (OCR) received 220 complaints of HIPAA violations between 2011 and 2014 by the VA and 204 by CVS. Walgreens and Kaiser Permanente were not far behind with 183 and 146 complaints, respectively.
- Thousands of complaints are logged with OCR each year — nearly 18,000 in 2014 alone — yet fewer than 30 entities have been fined since 2009.
Dive Insight:
“The data analyzed for this story shows the problem goes beyond isolated incidents, carrying few consequences even for those who violate the law the most,” ProPublica reports.
Joy Pritts, an ONC health information and privacy consultant and former chief privacy officer, told ProPublica that OCR is supposed to consider repeat offenses when deciding whether to fine a provider.
“You have to ask whether that’s happening,” Pritts said.
Complaints of HIPAA violations at the VA included a staffer who eyeballed her ex-husbands health record nearly 300 times and a worker who repeatedly accessed a patient’s record and posted details on Facebook.
To help people check for privacy violations by provider, ProPublica created a tool called HIPAA Helper using data obtained from OCR via the Freedom of Information Act (FOIA). Included in the database are 300 letters privately resolving HIPAA violations.
Recent reports by the HHS inspector general have underscored OCR’s poor record of tracking repeat offenders, ProPublica notes, adding the agency claims it is addressing the problem.