Apr

16

OCR will post names of ‘individuals’ who report breaches affecting 500 or more

By Dom Nicastro

The Office of Civil Rights (OCR) confirmed in an e-mail to HIPAA Update Friday afternoon that it will begin posting on its breach notification Web site the names of entities they consider “individuals” regardless of whether or not those entities give consent.

Currently, OCR does not post the names of such entities (namely sole practitioners) who report breaches affecting 500 or more individuals if they do not give OCR consent; OCR treats them as protected “individuals” per the Privacy Act of 1974. Instead, OCR lists them as “private practice.”

As of today, eight of the 64 entities on the OCR Web site are listed as “private practice.”

John C. Parmigiani, MS, BES, president of John C. Parmigiani & Associates, LLC, in Ellicott City, MD, and former chairperson of the team that created the HIPAA Security Rule, says some see this practice as “discriminatory.”

“A breach is a breach,” he says.

But OCR filed a notice in the Federal Register Monday in order to modify its existing “System of Records” practices and ultimately lift the “consent” option of these sole practitioners. The Federal Register notice intends to expand the way OCR uses and stores information per HITECH requirements.

One of the modifications is to make posting of entities who report breaches of 500 or more as a “routine use.” That term comes from the Privacy Act of 1974 and allows entities to use information despite not getting consent from an individual. As long as information qualifies as a “routine use,” then that information can be made public without an individual’s consent.

The language in the Privacy Act of 1974 says, “the term ‘routine use’ means, with respect to the disclosure of a record, the use of such record for a purpose which is compatible with the purpose for which it was collected.”

The “routine uses” will become effective at the end of the 40-day comment period set forth in the notice (about May 23), according to the e-mail OCR sent HIPAA Update. It also depends upon public comment received by HHS/OCR.

But once that happens, “OCR would be able to post the names of covered entities without first obtaining their consent,” according to the e-mail.

Industry insiders questioned OCR’s use of “private practice” on its breach Web site, saying it defeats Congress’ intent of public scrutiny on such egregious breaches. The initiative to make public those entities reporting such large breaches was first brought forth when HITECH was signed into law Feb. 17, 2010. It is now included in the breach notification interim final rule, effective last August.