Small privacy violations can have huge impact on individuals but don’t get the appropriate attention and followup under current HIPAA enforcement

To contrast the large data breaches in healthcare that get high public visibility but may have lesser known impacts on the individuals whose data is stolen with the little known breaches that can have a huge impact on a single individual, National Public Radio reported Small Violations of Medical Privacy Can Hurt Patients and Corrode Trust.

Noted by the report –

Under the federal law called the Health Insurance Portability and Accountability Act, or HIPAA, it's illegal for health care providers to share patients' treatment information without their permission. The Office for Civil Rights, the arm of the Department of Health and Human Services responsible for enforcing the law, receives more than 30,000 reports about privacy violations each year.

The bulk of the government's enforcement — and the public's attention — has focused on a small number of splashy cases in which hackers or thieves have accessed the health data of large groups of people. But the damage done in these mass breaches has been mostly hypothetical, with much information exposed, but little exploited.

The report also notes that –

Even when small privacy violations have real consequences, the federal Office for Civil Rights rarely punishes health care providers for them. Instead, the office typically settles for pledges to fix any problems and issues reminders of what the privacy law requires. It doesn't even tell the public which health providers have reported small breaches — or how many.

The Office of Civil Rights took some criticism in this NPR report:

The vast majority of the federal Office for Civil Rights' enforcement work has been directed at large-scale medical data breaches, whether or not they result in any demonstrable real-world harm.

Health providers are required to notify the office within 60 days of breaches affecting at least 500 people and also must share details with the media and contact those potentially affected. OCR's website makes public a list of these cases, highlighting them on what industry insiders dub the Wall of Shame.

Rarely do small privacy breaches get anywhere near the same attention, except when they involve celebrities or high-profile individuals.

Organizations only have to report them to OCR once a year. Even then, the agency doesn't post them online. HHS has rejected requests under the Freedom of Information Act for information about them.

Since 2009, OCR has received information about 1,400 large breaches. During the same time, more than 181,000 breaches affecting fewer than 500 individuals have been reported.

In September, the HHS inspector general issued 2 reports that criticized the Office for Civil Rights, including its handling of small breaches. One report said the OCR should strengthen its followup of breaches of Patient Health Information when reported by HIPAA covered entities.  Another report said the OCR should strengthen its oversight of covered entities’ compliance with the HIPAA Privacy Standards. The inspector general said OCR did not investigate the small breaches reported to it or log them in its tracking system.