The public interest journalism group ProPublica examined records from 2011 through 2014 and found that not only are HIPAA violations common, but they also typically go unpunished.
Some of the biggest names in healthcare—CVS, Kaiser Permanente, Walgreen’s, and Veterans Administration (VA)—are also the nation’s top violators of the law to protect patient privacy, according to an investigation by the public interest journalism organization, ProPublica.
The investigative series, which continues today, has revealed that top retail pharmacy chains, health plans, and the VA routinely violate the Health Insurance Portability and Accountability Act (HIPAA), both through sloppy mistakes and rogue acts of spying.
What’s worse, the investigation finds, is that repeat offenders face little likelihood of enforcement to the maximum permitted under the law. The HHS Office of Civil Rights issues only a handful of fines—fewer than 30 since 2009—on the more than 18,000 HIPAA complaints it receives each year.
(CVS did pay a $2.25 million fine in 2009 for tossing prescription bottles in a dumpster, but it still had more than 200 complaints between 2011 and 2014, according to an analysis in the report.)
What kinds of violations occur? Cases reviewed by ProPublica included honest but distressing errors, such as delivering cancer medication to the wrong address. Worse are the purposeful, intrusive lapses such as sharing patient photos on Snapchat, or the male VA worker who allegedly used records to look up information on a patient he wanted to date.
ProPublica found that the HHS Office of Civil Rights has enormous discretion under HIPAA—it can settle cases quietly, which seems to be the modus operandi—or it can impose finds of up to $50,000 per violation, up to a maximum of $1.5 million per year. Criminal charges are possible in the most egregious cases, and complaints can be posted online if patient information is withheld.
The investigation quotes Deven McGraw, deputy director fo health information privacy at the Office of Civil Rights at HHS, who said the agency focuses on cases that involve at least 500 people but it could do more. She thinks it should.
“Often, when we take a look into those breaches, what we find is that they were not accidents. What contributed to the break of thousands, if not tens of thousands of records, was systemic noncompliance … over a period oftentimes of years.”
The top offender during the period examined by ProPublica is another agency of government: the VA. Against the backdrop of all its other problems—huge backlogs in scheduling patients and falsified reports—were incidents like these:
· One VA employee improperly accessed her ex-husband’s medical records more than 260 times.
· Another VA employee accessed a patient record 61 times and posted some details on Facebook.
· A veteran’s health information was improperly passed along to his parole officer.
Spokespersons for the VA and CVS told ProPublica they took issues of patient privacy very seriously. But other experts questioned how many incidents it would take for HHS to recognize a pattern of noncompliance.
CMS' 340B Repayment Proposal May Harm Vulnerable Hospitals, Reward Those With Higher Revenues
April 26th 2024The 340B hospitals not receiving an offsetting lump-sum payment from CMS following 2018-2022 cuts later ruled unlawful are disproportionately rural, publicly owned, and nonacademic, according to a new study.
Read More
Examining Low-Value Cancer Care Trends Amidst the COVID-19 Pandemic
April 25th 2024On this episode of Managed Care Cast, we're talking with the authors of a study published in the April 2024 issue of The American Journal of Managed Care® about their findings on the rates of low-value cancer care services throughout the COVID-19 pandemic.
Listen
Empowering Community Health Through Wellness and Faith
April 23rd 2024To help celebrate and recognize National Minority Health Month, we are bringing you a special month-long podcast series with our Strategic Alliance Partner, UPMC Health Plan. In the third episode, Camille Clarke-Smith, EdD, MS, CHES, CPT, discusses approaching community health holistically through spiritual and community engagement.
Listen
Kaiser Permanente was hit by a data breach in mid-April, impacting 13.4 million health plan members; GlaxoSmithKline (GSK) sued Pfizer and BioNTech for allegedly infringing on its messenger RNA technology patents in the companies’ COVID-19 vaccines; the CDC announced the first-known HIV cases transmitted via cosmetic injections.
Read More