Thousands of times a year, the Office for Civil Rights of the U.S. Department of Health and Human Services resolves complaints about possible violations of the Health Insurance Portability and Accountability Act quietly, outside public view.
This story first appeared July 22, 2016 on the Charles OrnsteinProPublica website.
When the federal government takes the rare step of fining medical providers for violating the privacy and security of patients' medical information, it issues a press release and posts details on the web.
But thousands of times a year, the Office for Civil Rights of the U.S. Department of Health and Human Services resolves complaints about possible violations of the Health Insurance Portability and Accountability Act quietly, outside public view. It sends letters reminding providers of their legal obligations, advising them on how to fix purported problems, and, sometimes, prodding them to make voluntary changes.
As part of its examination into the impact of privacy violations on patients, ProPublica has posted about 300 of these "closure letters" in our HIPAA Helper tool. The app allows users to review details of these cases and track repeat offenders. We obtained the letters under the Freedom of Information Act and this is the largest repository of them ever made public. (See a list of the letters.)
Most of the letters we've received were sent to two large providers, the U.S. Department of Veterans Affairs and CVS Health. They are the entities with the most privacy complaints that resulted in corrective-action plans or "technical assistance" provided by the Office for Civil Rights from 2011 to 2014. But there are also notices of privacy violations sent to Kaiser Permanente, Planned Parenthood and the military's health care system.
Patients accused the providers of inadvertently, or in some cases deliberately, sharing their health information without their permission – a Texas facility, for instance, kept receiving faxes from CVS intended for a Hawaii doctor with the same name. The complaints sometimes alleged that employees snooped in patients' files out of personal animus.
Currently, the government provides only vague summaries of the issues it investigates, without the specifics that could make the information useful, said Dennis Melamed, who publishes a newsletter and website on HIPAA compliance. The top five categories of complaints in 2014, according to the Office for Civil Rights website, were impermissible uses and disclosures, safeguards, administrative safeguards, access and technical safeguards.
"We're not really sure what's going on," Melamed said. "The terminology is confusing, it's overlapping and it's not consistent."
Dr. Bill Brathwaite, a health information policy consultant who helped write the federal regulations implementing HIPAA, said he personally had only seen a few closure letters. The government, he said, has abstracted the lessons from its investigations "at too high a level for people to connect and say, 'Those people are like me, I should pay more attention.'"
"The more information, the better," Brathwaite said.
ProPublica is an independent, non-profit newsroom that produces investigative journalism in the public interest.