'Private Practices' Will Be Unmasked On Large Breaches Website

Dom Nicastro, May 19, 2010

Names of healthcare entities masked as "private practice" on the government website that lists organizations reporting large breaches of unsecured protected health information (PHI) will soon be revealed.

The Office for Civil Rights (OCR), the enforcer of the HIPAA privacy and security rules, tells HealthLeaders Media in an e-mail it will lift the "private practice" tag on its website once the 40-day comment period is up on its April 13 Federal Register notice that modifies its existing "System of Records" practices.

The comment period ends Sunday, May 23, and "so, OCR anticipates beginning to publish the names of covered entities currently listed as 'Private Practice' some time after that," the agency said in an e-mail to HealthLeaders Media. "OCR intends to apply the new routine use retroactively, so names of all covered entities currently listed as 'Private Practice' would be published."

Of the 87 entities reporting breaches affecting 500 or more individuals on the OCR website as of Tuesday, May 18, eight are listed as "private practice."

When questioned about the listing of "private practices" early last month, OCR originally told HealthLeaders Media that private practitioners who report these major breaches are considered "individuals" as defined by the Privacy Act of 1974.

Therefore, those "individuals" can stop OCR from posting its name on its breach notification website if the "individual" does not provide written consent. In those cases, OCR would list the entities as "private practice."

"It is the legal opinion of HHS that the names of private practitioners are identifiable as 'individuals,' as defined by the Privacy Act of 1974," OCR wrote to HealthLeaders Media April 7.

However, OCR, in its April 13 Federal Register notice, wants to expand the way OCR uses and stores information per HITECH requirements. One of the modifications is to make posting of entities who report breaches of 500 or more as a "routine use."

The language in the Privacy Act of 1974 says, "the term 'routine use' means, with respect to the disclosure of a record, the use of such record for a purpose which is compatible with the purpose for which it was collected."

Ultimately, it allows entities to use information despite not getting consent from an individual. As long as information qualifies as a "routine use," then that information can be made public without an individual's consent.

Asked why OCR sought to change this consent authority for this particular website, OCR tells HealthLeaders Media, "The HITECH Act required it." OCR said it had to wait for the "Systems of Records" modification request to lift the "private practice" mask on its website.

HITECH's breach notification interim final rule requires OCR to list entities who report breaches of unsecured PHI affecting on its website. OCR went live with the Web site in mid February, starting with 32 entities who reported the 500-or-more breaches since September, 2009.

Dom Nicastro Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.
Facebook icon
LinkedIn icon
Twitter icon