Government Just Sends Letters To Providers Accused Of HIPAA Violations, Doesn’t Tell Public

Image courtesy of Misfit Photographer

The federal government is not as rich and all-powerful as we sometimes think: while the Office for Civil Rights of the the U.S. Department of Health and Human Services has the responsibility of dealing with possible violations of patients’ privacy by medical care providers, it doesn’t have tee budget to post the warning letters that it sends after a single breach online. Is that useful information that the government should know about? Experts say that it is.

Data breaches that involve the personal information of thousands of people bring in investigations, fines, and even press releases once they’re complete, but ProPublica explains that patterns of smaller breaches can show systematic privacy problems at health care providers.

The investigative reporting nonprofit was able to obtain letters that went to providers whose names people across the country would recognize: the Veterans Administration, CVS Health, and regional Planned Parenthood affiliates.

What kind of information is disclosed? One letter that ProPublica obtained outlines an incident where a Planned Parenthood employee posted a public Facebook comment about an unspecified procedure that the patient had at one of the organization’s facilities.

That’s considered protected health information, and even as more providers fight back against bad reviews by posting patients’ information online, it’s not supposed to happen. Instead of a penalty, though, providers receive letters from the Office of Civil Rights explaining what they did wrong and advising how to correct it.

These letters theoretically could be posted online, but the agency cites budget concerns: it doesn’t have the staff required to redact all information that could be used to identify the patient from copies of the letters. After all, not giving out patient information was the original point.

You can check out the list of letters that ProPublica has received so far, though some of the descriptions are vague and unhelpful.

The Secret Documents That Detail How Patients’ Privacy is Breached [ProPublica]
Resolution Agreements and Civil Money Penalties [HHS]

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.