CVS Health and VA ring up the most warnings to OCR about possible HIPAA breaches, ProPublica finds

ProPublica published some 300 letters that Health and Human Services Office for Civil Rights sent to healthcare providers reminding them of legal obligations, advising how to fix problems and suggesting they make voluntary changes. 
By Jack McCarthy
11:35 AM
CVS Health VA HIPAA breaches

The U.S. Department of Veterans Affairs and CVS Health lead the list of providers receiving the most privacy complaints that resulted in corrective-action plans or technical assistance provided by the Office for Civil Rights (OCR) from 2011 to 2014, according to a report from ProPublica.

Some fines are issued by federal government to medical providers for violating the privacy and security of patients’ medical information in the Health Insurance Portability and Accountability Act (HIPAA), and the OCR will issue press releases and post details on the web.

But thousands of times a year, the OCR resolves complaints about possible HIPAA violations outside public view, according to ProPublica. The OCR sends private letters reminding providers of their legal obligations, advising them how to fix problems, and, in some cases, suggesting they make voluntary changes. 

[Also: OIG: 60 percent of hospitals reported unplanned EHR disruption - before rise of ransomware]

ProPublica also published a tool it calls HIPAA Helper that makes public 300 of these closure letters.

With the tool, the public can see details of these cases and discover   repeat offenders. The letters were obtained the by ProPublica by requests to OCR under the Freedom of Information Act. 

In contrast, when federal officials take the less frequent step of fining medical providers for violating the privacy and security of patients’ medical information, they publish press release and posts details on the web.

In 2014, the most recent year for which data is available, OCR received more than 17,000 complaints, as well as tens of thousands of self-reported breaches of medical information.

“Most of the letters we’ve received were sent to two large providers, the U.S. Department of Veterans Affairs and CVS Health,” ProPublica reported. “But there are also notices of privacy violations sent to Kaiser Permanente, Planned Parenthood and the Military Health System.”

Both the VA and CVS received more than 200 privacy complaints that resulted in corrective-action plans or “technical assistance” being provided by the OCR from 2011 to 2014, ProPublica said.

CVS Health and the VA said in a statement to ProPublica that they are committed to protecting patient privacy.

Twitter: @HealthITNews


Like Healthcare IT News on Facebook and LinkedIn