ProPublica has created and launched a new database that allows consumers to search for privacy violations by health care providers after an investigation revealed hundreds of repeat HIPAA offenders, Charles Ornstein and Annie Waldman report for ProPublica.

How a vendor put six hospitals' data at risk

Database details

To create the database, called HIPAA Helper, researchers from ProPublica analyzed data from:

• The California Department of Public Health (CDPH);
• The Department of Veterans Affairs (VA); and
• HHS' Office for Civil Rights (OCR).

The database contains data from between 2011 and 2014 on large data breaches self-reported by health care providers to OCR, privacy incidents recorded by VA, and violations issued by CDPH.

According to Ornstein and Waldman, the database allows consumers to more easily search for HIPAA violations by standardizing health care organizations' names. OCR's data often included several different names for one organization, according to the analysis.

Investigation details

Meanwhile, ProPublica used the same data pool to examine the number of repeat HIPAA offenders.

How to share data without breaking HIPAA

ProPublica considered a complaint a HIPAA violation if it resulted in:

• Corrective-action plans submitted by the provider; or
• "Technical assistance" on how to comply with HIPAA provided by OCR.

The investigation found that hundreds of health care organizations and providers across the country repeatedly violated HIPAA between 2011 and 2014—in some cases over 200 times.

However, the investigation found that OCR took no punitive action against many of the providers who were the most frequent offenders.

According to Ornstein and Waldman, OCR has significant flexibility in how it handles complaints, with the majority of issues resolved privately and informally. The agency also can impose fines of up to $50,000 per violation, with an annual cap of $1.5 million.

Reaction

Deven McGraw, deputy director for health information privacy at OCR, says that while OCR typically focuses on incidents that affect at least 500 people, more could be done to address providers with repeat violations.

She tells ProPublica, "I don't like the idea of repeat offenders not being called to task for that behavior, and I would like to see us doing more in this regard." McGraw notes that OCR's case management system is being fixed to flag repeat offenders.

Further, Joy Pritts—a  health information privacy and security consultant and former chief privacy officer at the Office of the National Coordinator for Health IT—says that "the patterns [ProPublica] identified makes a person wonder how far a company has to go before HHS recognizes a pattern of noncompliance."

Meanwhile, Nicolas Terry—a  professor and executive director of the Hall Center for Law and Health at Indiana University's law school—says OCR has stepped up its disciplinary actions, in part by issuing more fines against providers with larger breaches. However, he says more could be done (Ornstein/Waldman, ProPublica, 12/29/15 [1]; Ornstein/Waldman, ProPublica, 12/29/15 [2]).