Private Practices Revealed On Patient Breach Website
The names of "private practices" reporting breaches of unsecured protected health information (PHI) affecting 500 or more individuals have been revealed.
The Office for Civil Rights (OCR), the enforcer of the HIPAA privacy and security rules, lifted the label of anonymity on those entities as it revealed its updated breach notification website last Thursday.
The new website went live Thursday, July 8, the same day the Department of Health and Human Services (HHS), which oversees OCR, released a proposed rule they say "significantly" modifies the HIPAA privacy, security and enforcement rules.
When the original HITECH-required website went live in February, industry insiders questioned OCR listing some, but not all, entities as "private practice."
"This certainly received some attention on several listservs where participants were scratching their heads asking why these covered entities were not identified beyond being listed as 'private practice,' says Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal of HIPAA Boot Camp in Casa Grande, AZ.
OCR, when questioned by HealthLeaders Media then, said those private practitioners who report these major breaches are considered "individuals" as defined by the Privacy Act of 1974.
Therefore, those "individuals" can stop OCR from posting its name on its breach notification website if the "individual" does not provide written consent. In those cases, OCR would list the entities as "private practice."
However, OCR soon set out to lift that "private practice" tag and post the names of all entities reporting the egregious breaches regardless of whether or not they gave consent.
OCR's April 13 Federal Register notice said it wants to expand the way OCR uses and stores information per HITECH requirements. One of the modifications was to make posting of entities who report breaches of 500 or more as a "routine use."
The language in the Privacy Act of 1974 says, "the term 'routine use' means, with respect to the disclosure of a record, the use of such record for a purpose which is compatible with the purpose for which it was collected."