Main Menu

The Secret Documents That Detail How Patients’ Privacy is Breached

A federal agency sends thousands of letters a year to health providers closing out complaints about HIPAA violations. Though the government could make those letters public, it doesn’t. ProPublica has started to do so.

When the federal government takes the rare step of fining medical providers for violating the privacy and security of patients’ medical information, it issues a press release and posts details on the web.

But thousands of times a year, the Office for Civil Rights of the U.S. Department of Health and Human Services resolves complaints about possible violations of the Health Insurance Portability and Accountability Act quietly, outside public view. It sends letters reminding providers of their legal obligations, advising them on how to fix purported problems, and, sometimes, prodding them to make voluntary changes.

Case closed.

As part of its examination into the impact of privacy violations on patients, ProPublica has posted about 300 of these “closure letters” in our HIPAA Helper tool. The app allows users to review details of these cases and track repeat offenders. We obtained the letters under the Freedom of Information Act and this is the largest repository of them ever made public. (See a list of the letters.)

Most of the letters we’ve received were sent to two large providers, the U.S. Department of Veterans Affairs and CVS Health. They are the entities with the most privacy complaints that resulted in corrective-action plans or “technical assistance” provided by the Office for Civil Rights from 2011 to 2014. But there are also notices of privacy violations sent to Kaiser Permanente, Planned Parenthood and the military’s health care system.

Patients accused the providers of inadvertently, or in some cases deliberately, sharing their health information without their permission – a Texas facility, for instance, kept receiving faxes from CVS intended for a Hawaii doctor with the same name. The complaints sometimes alleged that employees snooped in patients’ files out of personal animus.


Read more…