[BreachExchange] The Secret Documents That Detail How Patients’ Privacy is Breached

Thu Jul 21 20:13:38 EDT 2016

https://www.propublica.org/article/the-secret-documents-that-detail-how-patients-privacy-is-breached

When the federal government takes the rare step of fining medical providers
for violating the privacy and security of patients’ medical information, it
issues a press release and posts details on the web.

But thousands of times a year, the Office for Civil Rights of the U.S.
Department of Health and Human Services resolves complaints about possible
violations of the Health Insurance Portability and Accountability Act
quietly, outside public view. It sends letters reminding providers of their
legal obligations, advising them on how to fix purported problems, and,
sometimes, prodding them to make voluntary changes.

Case closed.

As part of its examination into the impact of privacy violations on
patients, ProPublica has posted about 300 of these “closure letters” in
ourHIPAA Helper tool. The app allows users to review details of these cases
and track repeat offenders. We obtained the letters under the Freedom of
Information Act and this is the largest repository of them ever made
public. (See a list of the letters.)

Most of the letters we’ve received were sent to two large providers, the
U.S. Department of Veterans Affairs and CVS Health. They are the entities
with the most privacy complaints that resulted in corrective-action plans
or “technical assistance” provided by the Office for Civil Rights from 2011
to 2014. But there are also notices of privacy violations sent to Kaiser
Permanente, Planned Parenthood and the military’s health care system.

Patients accused the providers of inadvertently, or in some cases
deliberately, sharing their health information without their permission – a
Texas facility, for instance, kept receiving faxes from CVS intended for a
Hawaii doctor with the same name. The complaints sometimes alleged that
employees snooped in patients’ files out of personal animus.

Currently, the government provides only vague summaries of the issues it
investigates, without the specifics that could make the information useful,
said Dennis Melamed, who publishes a newsletter and website on HIPAA
compliance. The top five categories of complaints in 2014, according to the
Office for Civil Rights website, were impermissible uses and disclosures,
safeguards, administrative safeguards, access and technical safeguards.

“We’re not really sure what’s going on,” Melamed said. “The terminology is
confusing, it’s overlapping and it’s not consistent.”

Dr. Bill Brathwaite, a health information policy consultant who helped
write the federal regulations implementing HIPAA, said he personally had
only seen a few closure letters. The government, he said, has abstracted
the lessons from its investigations “at too high a level for people to
connect and say, ‘Those people are like me, I should pay more attention.’”

“The more information, the better,” Brathwaite said.

Deven McGraw, deputy director for health information privacy at the Office
for Civil Rights, said her agency wants to put closure letters online but
is constrained by its limited budget. In 2014, the most recent year for
which data is available, it received more than 17,000 complaints, as well
as tens of thousands of self-reported breaches of medical information.

Before closure letters can be released publicly, she said, the names of
individual patients and other identifying information would have to be
redacted.

“I do think it’s something that we should do but we have to figure out the
best way to make that happen,” McGraw said. “It is something we’re working
on.”

CVS and the VA have told ProPublica that they are committed to protecting
patient privacy.

“We are never complacent about privacy matters and we constantly strive to
address and reduce disclosure incidents by enhancing our training and
safeguards,” CVS said in a statement last fall. The VA said at the time,
“VA takes veteran privacy and the privacy of medical or health records very
seriously.”

David Holtzman, who used to work at the Office for Civil Rights and is now
vice president of compliance strategies for CynergisTek, a consulting firm,
said the government does not have the money to catalog and archive closure
letters. The Office for Civil Rights,whose budget has been flat for several
years, should focus its resources on improving internal systems to detect
and respond to privacy and security breaches instead, he added.

“To do this would cost money and it’s money they don’t have,” Holtzman
said. “Each matter rests on its own merits and it is difficult to draw
parallels from one case to another. There is going to be variability that
is perhaps not captured in the black and white space of a closure letter.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160721/129649df/attachment.html>