Privacy Act Protects Some Practices With Patient Data Breaches
The Office for Civil Rights (OCR) cited a 36-year-old privacy law as the reason why it cannot post on its breach notification Web site the names of private practitioners who report breaches of unsecured PHI affecting 500 or more individuals.
OCR writes in an e-mail to HealthLeaders Media that private practitioners who report these major breaches of unsecured PHI are considered "individuals" as defined by the Privacy Act of 1974.
Therefore, these "individuals" can stop OCR from posting its name on its breach notification Web site if the "individual" does not provide written consent. In those cases, OCR lists the entities as "private practice."
"It is the legal opinion of HHS that the names of private practitioners are identifiable as 'individuals,' as defined by the Privacy Act of 1974," OCR writes to HealthLeaders Media.
As of today, April 12, 59 entities reported breaches of 500 or more, eight of which were listed as "private practice." That nearly doubles the initial report of 32 reporting entities when OCR made its Web site public in late February.
Though OCR did not cite the actual disclosure provision from the Privacy Act of 1974, here is the language in the 552a, subsection (b) section of the Act:
"No agency shall disclose any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains …"
Kate Borten, CISSP, CISM, president of the The Marblehead Group, says the privacy argument here would seem moot since each entity, per HITECH, must notify each of the 500 or more affected individuals in the breach via a letter as well as through the media.
HITECH is part of a sweeping set of changes to HIPAA enforcement and breach notification included in the American Recovery and Reinvestment Act of 2009, signed into law February 17, 2009.
Congress included the more strict provisions for privacy and security protections and made enforcement tougher by including potential public scrutiny on government Web sites.
However, Borten says not posting the names of each entity "defeats the purpose of public posting. I doubt this is what Congress had in mind."
HealthLeaders Media asked OCR in an e-mail why these "private practices" are not subject to the same public scrutiny as the other entities listed on its Web site.
OCR did not respond directly to the inquiry, only citing the Privacy Act of 1974.
"This application of the Privacy Act may not be what Congress intended, but as healthcare entities are required to comply with an increasing number of laws and regulations, there will inevitably be unintended and unforeseen conflicts between laws," says Jana Aagaard, attorney in the Law Office of Jana Aagaard in Carmichael, CA. "This is an example of the unintended consequences that often accompany new regulations."