Private Practices Revealed On Patient Breach Website
As long as information qualifies as a "routine use," then that information can be made public without an individual's consent. As soon as the 40-day comment period on the April 13 Federal Register notice was up, OCR had the carte blanche to post names of "private practices."
As of July 6, the OCR website listed 107 entities, including 11 as "private practice." Today, the number is still 107, but none have the "private practice" mask.
Ruelas, the Maryvale director of compliance and risk management in Arizona, sent HealthLeaders Media a report listing the former "private practices" who reported breaches to OCR:
- Daniel J. Sigmund, MD PC, Stoughton, MA: Dec. 11, 2009; 1,860 affected individuals; theft; portable electronic device; medical record
- David I. Cohen, MD, Torrance, CA: Sept. 27, 2009; 857 affected individuals; theft, unauthorized access; desktop computer
- Ernest T Bice Jr., DDS PA, San Antonio, Texas: Feb. 20, 2010; 21,000 affected individuals; theft, portable electronic device, other
- Heriberto Rodriguez ? Ayala, MD, McAllen, Texas: April 3, 2010; 4,200 affected individuals; theft, laptop
- Joseph F. Lopez, MD, Torrance, CA: Sept. 27, 2009; 952 individuals affected; theft, unauthorized access; desktop computer
- Keith W. Mann, DDS PLLC, Wilmington, NC: Dec. 8, 2009; 2,000 individuals affected; hacking/IT incident; computer, network server, electronic medical record
- L. Douglas Carlson, MD, Torrance, CA: Sept. 27, 2009; 5,257 affected individuals; theft, unauthorized access; desktop computer
- Mark D. Lurie, MD, Torrance, CA: Sept. 27, 2009; 5,166 affected individuals; theft, unauthorized access; desktop computer
- Mary M. Desch, MD, Arizona: May 15, 2010; 5,893 individuals affected; theft; laptop
- Michele Del Vicario, MD, Torrance, CA: Sept. 27, 2009; 6,145 affected individuals; theft, unauthorized access; desktop computer
- Nihal Saran, MD, Michigan: May 2, 2010; 2,300 individuals affected; theft; laptop
According to the original OCR breach notification website, which is still live, the source of the breaches in Torrance, CA, was a desktop computer where information was accessed without authorization. They are each listed on the same date but with different practitioners and varying numbers of affected individuals.
"If one goal is for those leading the HITECH Act enforcement efforts at the federal level is to be more transparent to the public with respect to information related to reported breaches," Ruelas says, "this new website with its identification of previously masked covered entities is a tangible step in this direction."
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.
- 12 Hires to Keep Your Hospital Out of Trouble
- Ratcheting Up Patient Experience Has a Downside
- Meaningful Use Payment Adjustments Begin
- HL20: Lee Aase—Who's Behind @MayoClinic
- 'Mega Boards' Could be Rural Healthcare Disruptor
- Taming Time and Moving Healthcare Data
- 1 in 5 Eligible Hospitals Penalized for HACs
- A Christmas Wish List for US Healthcare
- HL20: Sam Foote, MD—The Courage to Speak Up
- HL20: Derek Angus, MD—An Intense Focus on Care