EXECUTIVE SUMMARY
President Obama recently announced a change to the Health Insurance Portability and Accountability Act (HIPAA) that allows healthcare providers to report patients with mental health issues to a national criminal background database. The move is intended to prohibit gun sales to mentally ill people with a potential for violence.
- Some healthcare providers have debated whether HIPAA previously prohibited such reports.
- The rule change only affirms that a subset of healthcare providers can report patients with mental illness.
- HIPAA still prohibits most healthcare providers from reporting such concerns.
Several large pharmacy chains and health systems are among the most frequent violators of the Health Insurance Portability and Accountability Act (HIPAA), according to a recent report from ProPublica.
Among healthcare providers nationwide that repeatedly violated HIPAA between 2011 and 2014, some of the top offenders were the following:
- Department of Veterans Affairs;
- CVS;
- Walgreens;
- Kaiser Permanente;
- Wal-Mart.
Interestingly, however, these repeat offenders were not punished by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR).
ProPublica, which describes itself as an independent, non-profit newsroom that produces investigative journalism in the public interest, found that in more than 200 instances of HIPAA violations during those four years, OCR only reminded CVS of its obligations under the law or accepted its pledges to improve privacy protections. ProPublica acknowledges that the organizations with the most HIPAA violations are all large healthcare providers with many locations that serve millions of patients each year, increasing the likelihood of HIPAA violations. ProPublica counted as violations those complaints that resulted in corrective-action plans submitted by a health provider or “technical assistance” provided by the Office for Civil Rights on how to comply with the law.
Offenses by the top violator, the Department of Veterans Affairs, included incidents of employees accessing patient files of co-workers and patients they were not treating.
ProPublica reports that one employee accessed her ex-husband’s medical record more than 260 times, while another accessed the records of a patient 61 times and posted details on Facebook. A third provided a patient’s health information to his parole officer, ProPublica reports.
ProPublica also is using the HIPAA violation data to launch a new tool called HIPAA Helper, which allows searching for reports of privacy violations by provider, which is apparently the first such resource offered to the public. (HIPAA Helper can be accessed at https://projects.propublica.org/hipaa. The full ProPublica report is available online at http://tinyurl.com/gu2vfep.)
