Private Practices Revealed On Patient Breach Website

The names of "private practices" reporting breaches of unsecured protected health information (PHI) affecting 500 or more individuals have been revealed.

The Office for Civil Rights (OCR), the enforcer of the HIPAA privacy and security rules, lifted the label of anonymity on those entities as it revealed its updated breach notification website last Thursday.

The new website went live Thursday, July 8, the same day the Department of Health and Human Services (HHS), which oversees OCR, released a proposed rule they say "significantly" modifies the HIPAA privacy, security and enforcement rules.

When the original HITECH-required website went live in February, industry insiders questioned OCR listing some, but not all, entities as "private practice."

"This certainly received some attention on several listservs where participants were scratching their heads asking why these covered entities were not identified beyond being listed as 'private practice,' says Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal of HIPAA Boot Camp in Casa Grande, AZ.

OCR, when questioned by HealthLeaders Media then, said those private practitioners who report these major breaches are considered "individuals" as defined by the Privacy Act of 1974.

Therefore, those "individuals" can stop OCR from posting its name on its breach notification website if the "individual" does not provide written consent. In those cases, OCR would list the entities as "private practice."

However, OCR soon set out to lift that "private practice" tag and post the names of all entities reporting the egregious breaches regardless of whether or not they gave consent.

OCR's April 13 Federal Register notice said it wants to expand the way OCR uses and stores information per HITECH requirements. One of the modifications was to make posting of entities who report breaches of 500 or more as a "routine use."

The language in the Privacy Act of 1974 says, "the term 'routine use' means, with respect to the disclosure of a record, the use of such record for a purpose which is compatible with the purpose for which it was collected."

As long as information qualifies as a "routine use," then that information can be made public without an individual's consent. As soon as the 40-day comment period on the April 13 Federal Register notice was up, OCR had the carte blanche to post names of "private practices."

As of July 6, the OCR website listed 107 entities, including 11 as "private practice." Today, the number is still 107, but none have the "private practice" mask.

Ruelas, the Maryvale director of compliance and risk management in Arizona, sent HealthLeaders Media a report listing the former "private practices" who reported breaches to OCR:

• Daniel J. Sigmund, MD PC, Stoughton, MA: Dec. 11, 2009; 1,860 affected individuals; theft; portable electronic device; medical record
• David I. Cohen, MD, Torrance, CA: Sept. 27, 2009; 857 affected individuals; theft, unauthorized access; desktop computer
• Ernest T Bice Jr., DDS PA, San Antonio, Texas: Feb. 20, 2010; 21,000 affected individuals; theft, portable electronic device, other
• Heriberto Rodriguez ? Ayala, MD, McAllen, Texas: April 3, 2010; 4,200 affected individuals; theft, laptop
• Joseph F. Lopez, MD, Torrance, CA: Sept. 27, 2009; 952 individuals affected; theft, unauthorized access; desktop computer
• Keith W. Mann, DDS PLLC, Wilmington, NC: Dec. 8, 2009; 2,000 individuals affected; hacking/IT incident; computer, network server, electronic medical record
• L. Douglas Carlson, MD, Torrance, CA: Sept. 27, 2009; 5,257 affected individuals; theft, unauthorized access; desktop computer
• Mark D. Lurie, MD, Torrance, CA: Sept. 27, 2009; 5,166 affected individuals; theft, unauthorized access; desktop computer
• Mary M. Desch, MD, Arizona: May 15, 2010; 5,893 individuals affected; theft; laptop
• Michele Del Vicario, MD, Torrance, CA: Sept. 27, 2009; 6,145 affected individuals; theft, unauthorized access; desktop computer
• Nihal Saran, MD, Michigan: May 2, 2010; 2,300 individuals affected; theft; laptop

According to the original OCR breach notification website, which is still live, the source of the breaches in Torrance, CA, was a desktop computer where information was accessed without authorization. They are each listed on the same date but with different practitioners and varying numbers of affected individuals.

"If one goal is for those leading the HITECH Act enforcement efforts at the federal level is to be more transparent to the public with respect to information related to reported breaches," Ruelas says, "this new website with its identification of previously masked covered entities is a tangible step in this direction."