Study finds few consequences for health privacy law's repeat offenders
Regulators have logged hundreds of complaints against some health providers for violating federal patient privacy law.
When CVS Health customers complained to the company about privacy violations, some of the calls and letters made their way to Joseph Fenity. One patient's medication was delivered to his neighbor, revealing he had cancer.
Another was upset because a pharmacist had yelled personal information across the counter.
Fenity worked on a small team that dealt with complaints directed to the company president's office, assuring customers their situations were rare.
"I sincerely apologize on behalf of CVS Health," Fenity says he'd respond. "This is not how we handle things. The breach of your protected health information was an isolated incident and we'll do better."
In fact, Fenity learned -- partly from battling CVS over the privacy of his own medical information -- that was "a lie."
CVS is among hundreds of health providers nationwide that repeatedly violated the federal patient privacy law known as HIPAA between 2011 and 2014, a ProPublica analysis of federal data shows.
Other well-known repeat offenders include the U.S. Department of Veterans Affairs, Walgreens, Kaiser Permanente and Walmart.
Based on OCR data, health providers that had the most privacy complaints that resulted in corrective-action plans or "technical assistance" from 2011 to 2014, were: U.S. Department of Veterans Affairs, 200; CVS Health, 204; Walgreens, 183; Kaiser Permanente, 146; Walmart, 71; Lab Corp, 58; Quest Diagnostics, 55; Express Scripts, 51; Rite Aid, 48; and UnitedHealthCare, 43.
And yet, the agency tasked with enforcing the Health Insurance Portability and Accountability Act took no punitive action against these providers, ProPublica found.
In more than 200 instances over those four years, that agency, the Office for Civil Rights within the U.S. Department of Health and Human Services, reminded CVS of its obligations under the law or accepted its pledges to improve privacy protections. (CVS did pay a $2.25 million penalty in 2009 for dumping prescription bottles in unsecured dumpsters.)
To be sure, the organizations with the most HIPAA violations are all large healthcare providers with many locations that serve millions of patients each year. In statements, they said they take privacy seriously. (Walmart declined to comment.)
"CVS Health is strongly committed to protecting the privacy of our patients' health information," CVS spokesman Mike DeAngelis wrote. "We have established rigorous privacy policies and procedures throughout the Company to safeguard patient information."
Over the course of this year, ProPublica has reported on loopholes in HIPAA and the federal government's lax enforcement of the law. A story earlier in December detailed how the Office for Civil Rights only rarely imposed sanctions for small-scale privacy breaches that caused lasting harm.
The data analyzed for this story shows the problem goes beyond isolated incidents, carrying few consequences even for those who violate the law the most.
"The patterns you've identified makes a person wonder how far a company has to go before HHS recognizes a pattern of noncompliance," said Joy Pritts, a health information privacy and security consultant who served as chief privacy officer for HHS' Office of the National Coordinator for Healthcare Information Technology until last year.
Pritts said the government is supposed to take into account a health provider's prior track record of following the law when deciding whether to pursue fines for privacy violations. "You have to ask whether that's happening," she said.
The VA was the most persistent HIPAA violator in the data. Time and again, records show, VA employees snooped on one another and on patients they weren't treating. One employee accessed her ex-husband's medical record more than 260 times. Another employee peeked at the records of a patient 61 times and posted details on Facebook. A third improperly shared a vet's health information with his parole officer.
The VA would not make an official available for an interview, but said in a written statement that it "takes veteran privacy and the privacy of medical or health records very seriously."
"The challenges VA is facing are similar to those experienced across public and private sectors, and we are continuously striving to better protect veteran data," its statement said, adding that it provides training to staff, investigates complaints and conducts audits of who accesses health records.
Some privacy problems--whether inadvertent or the deliberate acts of rogue employees--are to be expected. But repeated complaints may signal organizational failures, experts say.
"I don't think it's a defense to just say, 'We do a billion prescriptions a year,'" said Mark Rothstein, chair of law and medicine and the founding director of the Institute for Bioethics, Health Policy and Law at the University of Louisville School of Medicine. "They need to be more assertive to try to figure out what's wrong. It may be true that you can't get down to zero, but you need to make a really good faith effort to follow up on the complaints that were filed."
The Office for Civil Rights has broad latitude in deciding how to handle complaints. It can resolve them privately and informally, as it has chosen to do in the vast majority of instances. It also has the authority to impose fines of up to $50,000 per violation, with an annual maximum of $1.5 million. In the most egregious cases, the agency can file criminal charges against violators. It is free to post complaints online, if it protects patients' identities.
Deven McGraw, deputy director for health information privacy at the Office for Civil Rights, said the agency's top priority has been investigating breaches that affect at least 500 people, which providers are required by law to report promptly.
"Often, when we take a look into those breaches, what we find is that they were not accidents," she said. "What contributed to the breach of thousands, if not tens of thousands of records, was systemic noncompliance … over a period oftentimes of years."
Still, McGraw acknowledged, more can be done about health providers with multiple HIPAA violations.
"I don't like the idea of repeat offenders not being called to task for that behavior and I would like to see us doing more in this regard," she said, adding that the office's case management system in the past was an impediment but is now being fixed to proactively flag them.
Although the Office for Civil Rights receives thousands of complaints a year -- nearly 18,000 in 2014 -- it issues only a handful of financial penalties. The agency posts details online about the fines violators have agreed to pay (fewer than 30 since 2009), as well as a listing of large breaches. But that represents a tiny share of the incidents investigated by the office; the rest has been hidden from the public.
Asked why the office did not post details of repeat violations online, spokeswoman Rachel Seeger wrote in an email: "Entities who are the subject of complaints are not necessarily guilty of a crime or a civil wrong. Our office makes public details of cases that result in settlements and formal corrective action agreements or civil monetary penalties on our website."
Despite the VA's status as the top serial HIPAA violator in ProPublica's analysis, McGraw said, "that doesn't mean that we treat them any differently in terms of our overall enforcement philosophy."
Using data provided by OCR under the Freedom of Information Act, ProPublica is launching a new tool, HIPAA Helper, which allows users to look up reports of privacy violations by provider for the first time. OCR's material often referred to the same entities by multiple names. CVS was listed as "CVS," "Pharmacy, CVS," "Caremark, CVS," "CVS Caremark" and more. Kaiser Permanente was identified as "Kaiser Foundation Hospital," "Kaiser Hospital," "Kiaser Permanente," and even "KP." We have standardized organizations' names to make searching easier.
The database also includes the large breaches self-reported by health providers to the Office for Civil Rights, privacy incidents logged separately by the VA and violations cited by the California Department of Public Health, which can impose its own fines against hospitals for failing to protect patient privacy.
This story was co-published with NPR's Shots blog. It is edited from its original source. To read the full story, go to ProPublica.org.