Topics
Reimbursement
Elevance, UnitedHealth among insurers accused of alleged price fixing
Elevance, UnitedHealth among insurers accused of alleged price fixing
Revenue Cycle Management
Mary Washington Healthcare latest to outsource revenue cycle 
Mary Washington Healthcare latest to outsource revenue cycle 
Strategic Planning
Two CFOs see promise of AI, but have yet to build a dedicated budget
Two CFOs see promise of AI, but have yet to build a dedicated budget
Capital Finance
Cigna nixes speculation of a Humana merger
Cigna nixes speculation of a Humana merger
Supply Chain
Feds shore up healthcare supply chain in wake of hurricanes Helene and Milton
Feds shore up supply chain in wake of hurricanes
Accounting & Financial Management
Labor expenses continue to challenge hospitals
Labor expenses continue to challenge hospitals
Budgeting
Health system operating margins declined in August
Health system operating margins declined in August
Quality and Safety
US healthcare system ranks last in equity, access
US healthcare system ranks last in equity, access
Billing and Collections
CFPB warns of illegal tactics by medical debt collectors
CFPB warns of illegal tactics by medical debt collectors
Claims Processing
Denials top reason for eroding provider-payer relationship
Denials top reason for eroding provider-payer relationship
Workforce
Elevance laying off 123 California employees
Elevance laying off 123 California employees
Operations
UAB, Press Ganey launch certificate program for healthcare leaders
UAB, Press Ganey launch certificate program for healthcare leaders
Medical Devices
Healthcare chatbots may promote racist misinformation
Healthcare chatbots may promote racist misinformation
Hospital/physician relations
Hospitals, physicians submit opposing views to FTC ruling on noncompetes
Hospitals, physicians submit opposing views to FTC ruling
Construction & Facilities Management
University Hospitals expanding with $3.2 million donation
University Hospitals expanding with $3.2M donation
Compliance & Legal
Johnson and Johnson sues HRSA for blocking 340B plan
J&J sues HRSA for blocking 340B plan
Policy and Legislation
Planned Parenthood, other groups decry executive power in House bill
Planned Parenthood, other groups decry House bill
Community Benefit
AMA pushes for stricter standards for hospital charity care policies
AMA pushes for stricter standards for hospital charity care policies
Accountable Care
NAACOS pushes ACO REACH extension after $1.54B in savings
NAACOS pushes ACO REACH extension
Acute Care
SDOH, tech key to advancing value-based care, says UHG
SDOH, tech key to advancing value-based care
Ambulatory Care
Cleveland Clinic and Amazon One Medical collaborate on primary care clinics
Cleveland Clinic and Amazon One Medical collaborate
Analytics
Interoperability in healthcare moving forward despite challenges
Interoperability in healthcare moving forward despite challenges
Business Intelligence
CVS announces Dr. Sreekanth Chaguturu as president, Health Care Delivery
CVS announces Dr. Sreekanth Chaguturu as president, Health Care Delivery
ICD-10 & Coding
Physician practices examine risk adjustment coding in wake of federal lawsuits
Practices keeping close watch on risk adjustment coding
Meaningful Use
Financial disincentives for providers who commit information blocking 
Financial disincentives for providers who commit information blocking 
Medicare & Medicaid
Almost a quarter of Americans underinsured, survey finds
Survey: Almost a quarter of Americans underinsured
Patient Engagement
HHS, Illinois reach agreement on disability rights laws
HHS, Illinois reach agreement on disability rights
Pharmacy
CerpassRx, Waltz team on AI platform to manage specialty drug spend
CerpassRx, Waltz team on AI to manage specialty drug spend
Population Health
Reproductive care, including abortion, facing challenges
Reproductive care, including abortion, facing challenges
Risk Management
UPMC for You partners to offer Medicaid redetermination coverage in laundromats
UPMC for You offers Medicaid redetermination coverage in laundromats
Telehealth
Telehealth prescribing of controlled drugs extended through 2025
Telehealth prescribing of controlled drugs extended
Mergers & Acquisitions
Cardinal Health set to acquire two companies for combined $3.9B
Cardinal Health set to acquire two companies for combined $3.9B
View more
Jan 03, 2016 More on Risk Management

Study finds few consequences for health privacy law's repeat offenders

Regulators have logged hundreds of complaints against some health providers for violating federal patient privacy law.

Charles Ornstein, ProPublica
Annie Waldman, ProPublica

Bryan Anselm for ProPublica

When CVS Health customers complained to the company about privacy violations, some of the calls and letters made their way to Joseph Fenity. One patient's medication was delivered to his neighbor, revealing he had cancer.

Another was upset because a pharmacist had yelled personal information across the counter.

Fenity worked on a small team that dealt with complaints directed to the company president's office, assuring customers their situations were rare.

"I sincerely apologize on behalf of CVS Health," Fenity says he'd respond. "This is not how we handle things. The breach of your protected health information was an isolated incident and we'll do better."

In fact, Fenity learned -- partly from battling CVS over the privacy of his own medical information -- that was "a lie."

CVS is among hundreds of health providers nationwide that repeatedly violated the federal patient privacy law known as HIPAA between 2011 and 2014, a ProPublica analysis of federal data shows.

Other well-known repeat offenders include the U.S. Department of Veterans Affairs, Walgreens, Kaiser Permanente and Walmart.

Based on OCR data, health providers that had the most privacy complaints that resulted in corrective-action plans or "technical assistance" from 2011 to 2014, were: U.S. Department of Veterans Affairs, 200; CVS Health, 204; Walgreens, 183; Kaiser Permanente, 146; Walmart, 71; Lab Corp, 58; Quest Diagnostics, 55; Express Scripts, 51; Rite Aid, 48; and UnitedHealthCare, 43.

And yet, the agency tasked with enforcing the Health Insurance Portability and Accountability Act took no punitive action against these providers, ProPublica found.

In more than 200 instances over those four years, that agency, the Office for Civil Rights within the U.S. Department of Health and Human Services, reminded CVS of its obligations under the law or accepted its pledges to improve privacy protections. (CVS did pay a $2.25 million penalty in 2009 for dumping prescription bottles in unsecured dumpsters.)

To be sure, the organizations with the most HIPAA violations are all large healthcare providers with many locations that serve millions of patients each year. In statements, they said they take privacy seriously. (Walmart declined to comment.)

"CVS Health is strongly committed to protecting the privacy of our patients' health information," CVS spokesman Mike DeAngelis wrote. "We have established rigorous privacy policies and procedures throughout the Company to safeguard patient information."

Over the course of this year, ProPublica has reported on loopholes in HIPAA and the federal government's lax enforcement of the law. A story earlier in December detailed how the Office for Civil Rights only rarely imposed sanctions for small-scale privacy breaches that caused lasting harm.

The data analyzed for this story shows the problem goes beyond isolated incidents, carrying few consequences even for those who violate the law the most.

"The patterns you've identified makes a person wonder how far a company has to go before HHS recognizes a pattern of noncompliance," said Joy Pritts, a health information privacy and security consultant who served as chief privacy officer for HHS' Office of the National Coordinator for Healthcare Information Technology until last year.

Pritts said the government is supposed to take into account a health provider's prior track record of following the law when deciding whether to pursue fines for privacy violations. "You have to ask whether that's happening," she said.

The VA was the most persistent HIPAA violator in the data. Time and again, records show, VA employees snooped on one another and on patients they weren't treating. One employee accessed her ex-husband's medical record more than 260 times. Another employee peeked at the records of a patient 61 times and posted details on Facebook. A third improperly shared a vet's health information with his parole officer.

The VA would not make an official available for an interview, but said in a written statement that it "takes veteran privacy and the privacy of medical or health records very seriously."

"The challenges VA is facing are similar to those experienced across public and private sectors, and we are continuously striving to better protect veteran data," its statement said, adding that it provides training to staff, investigates complaints and conducts audits of who accesses health records.

Some privacy problems--whether inadvertent or the deliberate acts of rogue employees--are to be expected. But repeated complaints may signal organizational failures, experts say.

"I don't think it's a defense to just say, 'We do a billion prescriptions a year,'" said Mark Rothstein, chair of law and medicine and the founding director of the Institute for Bioethics, Health Policy and Law at the University of Louisville School of Medicine. "They need to be more assertive to try to figure out what's wrong. It may be true that you can't get down to zero, but you need to make a really good faith effort to follow up on the complaints that were filed."

The Office for Civil Rights has broad latitude in deciding how to handle complaints. It can resolve them privately and informally, as it has chosen to do in the vast majority of instances. It also has the authority to impose fines of up to $50,000 per violation, with an annual maximum of $1.5 million. In the most egregious cases, the agency can file criminal charges against violators. It is free to post complaints online, if it protects patients' identities.
Deven McGraw, deputy director for health information privacy at the Office for Civil Rights, said the agency's top priority has been investigating breaches that affect at least 500 people, which providers are required by law to report promptly.

"Often, when we take a look into those breaches, what we find is that they were not accidents," she said. "What contributed to the breach of thousands, if not tens of thousands of records, was systemic noncompliance … over a period oftentimes of years."

Still, McGraw acknowledged, more can be done about health providers with multiple HIPAA violations.

"I don't like the idea of repeat offenders not being called to task for that behavior and I would like to see us doing more in this regard," she said, adding that the office's case management system in the past was an impediment but is now being fixed to proactively flag them.

Although the Office for Civil Rights receives thousands of complaints a year -- nearly 18,000 in 2014 -- it issues only a handful of financial penalties. The agency posts details online about the fines violators have agreed to pay (fewer than 30 since 2009), as well as a listing of large breaches. But that represents a tiny share of the incidents investigated by the office; the rest has been hidden from the public.

Asked why the office did not post details of repeat violations online, spokeswoman Rachel Seeger wrote in an email: "Entities who are the subject of complaints are not necessarily guilty of a crime or a civil wrong. Our office makes public details of cases that result in settlements and formal corrective action agreements or civil monetary penalties on our website."

Despite the VA's status as the top serial HIPAA violator in ProPublica's analysis, McGraw said, "that doesn't mean that we treat them any differently in terms of our overall enforcement philosophy."

Using data provided by OCR under the Freedom of Information Act, ProPublica is launching a new tool, HIPAA Helper, which allows users to look up reports of privacy violations by provider for the first time. OCR's material often referred to the same entities by multiple names. CVS was listed as "CVS," "Pharmacy, CVS," "Caremark, CVS," "CVS Caremark" and more. Kaiser Permanente was identified as "Kaiser Foundation Hospital," "Kaiser Hospital," "Kiaser Permanente," and even "KP." We have standardized organizations' names to make searching easier.

The database also includes the large breaches self-reported by health providers to the Office for Civil Rights, privacy incidents logged separately by the VA and violations cited by the California Department of Public Health, which can impose its own fines against hospitals for failing to protect patient privacy.

This story was co-published with NPR's Shots blog. It is edited from its original source. To read the full story, go to ProPublica.org.

News
Ending racism in healthcare often begins with medical education - and is the target of a new national project Ending racism in healthcare often begins with medical education - and is the target of a new national project Inequities can be found in every facet of the industry, but targeting medical students and residents can help stem the tide.