While you’ve heard of HIPAA if you’ve visited a doctor or filled a prescription in the last 20 years, you probably aren’t as familiar with the federal Office of Civil Rights, which is in charge of actually enforcing HIPAA and handing out punishments to health care providers that violate it.
Yet an analysis by investigative reporting nonprofit ProPublica shows that many of the same providers violate the law and their patients’ or customers’ over and over, and aren’t punished for it. In the last four years, the top violator was part of the federal government: there were 220 complaints filed against the Veterans Administration, including one where a VA employee posted a veteran’s medical information on Facebook and chatted about it with her friends.
Taking the silver and bronze medals, though, were pharmacy chains CVS Health and Walgreens, followed by mega-health organization Kaiser Permanente and Walmart. If the violations for Walgreens and Rite Aid were combined, they would have taken the top spot from the VA.
One patient in California didn’t discover a breach until, three months after giving birth, she thawed out her placenta and noticed that it had a different mother’s name on it. Hospital staff hadn’t checked the name on the container against her bracelet, resulting in a HIPAA complaint.
An Office for Civil Rights official explained to ProPublica that their priority has been dealing with large breaches, where 500 or more people were affected. Small but repeated breaches are investigated but not necessarily punished.
Few Consequences For Health Privacy Law’s Repeat Offenders [ProPublica/NPR]