To contrast the large data breaches in healthcare that get high public
visibility but may have lesser known impacts on the individuals whose data is stolen
with the little known breaches that can have a huge impact on a single
individual, National Public Radio reported Small
Violations of Medical Privacy Can Hurt Patients and Corrode Trust.
Noted by the report –
Under the federal law called the Health
Insurance Portability and Accountability Act, or HIPAA, it's illegal for
health care providers to share patients' treatment information without their
permission. The Office for Civil Rights, the arm of the Department of Health
and Human Services responsible for enforcing the law, receives more than 30,000
reports about privacy violations each year.
The bulk of the government's enforcement —
and the public's attention — has focused on a small number of splashy cases in
which hackers or thieves have accessed the health data of large groups of
people. But the damage done in these mass breaches has been mostly
hypothetical, with much information exposed, but little exploited.
The report also notes that –
Even when small privacy violations have real consequences, the federal
Office for Civil Rights rarely punishes health care providers for them.
Instead, the office typically settles for pledges to fix any problems and
issues reminders of what the privacy law requires. It doesn't even tell the
public which health providers have reported small breaches — or how many.
The Office of Civil Rights
took some criticism in this NPR report:
The vast majority of the federal Office for Civil
Rights' enforcement work has been directed at large-scale medical data
breaches, whether or not they result in any demonstrable real-world harm.
Health providers are required
to notify the office within 60 days of breaches affecting at least 500
people and also must share details with the media and contact those potentially
affected. OCR's website makes public a
list of these cases, highlighting them on what industry insiders dub the
Wall of Shame.
Rarely do small privacy breaches get anywhere
near the same attention, except when they involve celebrities or high-profile
individuals.
Organizations only have to report them to OCR
once a year. Even then, the agency doesn't post them online. HHS has rejected
requests under the Freedom of Information Act for information about them.
Since 2009, OCR has received information
about 1,400 large breaches. During the same time, more than 181,000 breaches
affecting fewer than 500 individuals have been reported.
In September, the HHS inspector general issued 2 reports that criticized
the Office for Civil Rights, including its handling of small breaches. One
report said the OCR
should strengthen its followup of breaches of Patient Health Information when
reported by HIPAA covered entities.
Another report said the OCR should strengthen
its oversight of covered entities’ compliance with the HIPAA Privacy Standards.
The inspector general said OCR did not investigate the small breaches reported
to it or log them in its tracking system.