- HIPAA Update - http://blogs.hcpro.com/hipaa -

Industry insiders question not revealing violators of health information breaches

The Office for Civil Rights (OCR) cannot post the names of entities that report breaches of unsecured personal health information affecting 500 or more individuals unless the entity gives it written consent, OCR tells HIPAA Update.

In cases where OCR does not have written consent, it will cite the entity on its Web site as “private practice.” This method has led industry insiders to question OCR, says Kate Borten, CISSP, CISM, president, The Marblehead (MA) Group.

Per the HITECH [1], OCR must post “a list that identifies each covered entity” that reports breaches of 500 or more.

However, of the 44 organizations listed on the Web site as of Friday, seven are cited by OCR as “private practice.”

“Under current Privacy Act restrictions,” OCR writes to HIPAA Update in an e-mail, “OCR may not disclose the names or other identifying information about private practitioners without their written consent.”

Five of those “private practices” are from the same city on the same date—Torrance, CA, September 27, 2009—but each post with a different number of individuals affected. The highest number of affected individuals is 6,145. The other two “private practices” are out of Stoughton, MA, and Wilmington, NC.

Borten says listing private practice “defeats the purpose of public posting. I doubt this is what Congress had in mind.”

Since September, of the 44 entities that have reported such large breaches, 10 involved business associates (BAs). It is not clear whether the “private practices” are BAs or covered entities.

The most egregious breach case came from Blue Cross Blue Shield of Tennessee, which affected 500,000 as a result of stolen hard drives, OCR reported on its Web site.

Following Blue Cross Blue Shield is AvMed, Inc., a Gainesville, FL, health plan. A stolen laptop on December 10, 2009, resulted in a reported breach affecting 359,000 individuals, according to OCR.

Borten says she’s also concerned that the Web site posting of the breaches of 500 or more is hard to find. To get to the 500 list, users must click “New Breach Notification Web Pages” [2] on the privacy home page. From there, the link to the 500 list is on the bottom right-hand corner.

In response to HealthLeaders’ inquiry about the prominence of the site, OCR wrote, “The OCR HIPAA Privacy Web site is one of the most visited Web sites in the department, and the link to the new breach Web site is prominently available from the home page.”

Borten says she “respectfully disagrees.”

“Only someone who is determined to find the site and knows it must be there is likely to find it by drilling down,” she says.

Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal of HIPAA Boot Camp in Casa Grande, AZ, says he too feels the Web site is hard to track.

“I didn’t necessarily see the Web-based notices all that easy to find,” Ruelas says. “I would have expected them to be a bit more prominently displayed.”

Borten says she hopes OCR will reconsider “where and how it posts breaches so that the full intent and impact of the law is met.”

But OCR stands by its method, telling HealthLeaders, “The posting of breaches affecting over 500 individuals, as with other provisions in HITECH, has brought a strong refocus on compliance with the HIPAA Privacy and Security rules.”