The U.S. has strict rules against the unauthorized sharing of medical records, codified in the Health Insurance Portability and Accountability Act (HIPAA) of 1996. But a new report by the investigative journalists at ProPublica uncovered plenty of privacy breaches, suggesting that the government has been shoddy at enforcing the law and in tracking repeat offenders. CVS, for example, violated HIPAA 204 times between 2011 and 2014; the government’s own Department of Veterans Affairs (VA) led the march of shame, with 220 major violations.
Investigative reports with lists and tables can be daunting to wade through, so ProPublica built a simple app: a kind of search engine that allows people to check on their health care providers. Named HIPAA Helper, the tool features a search bar that accepts not only names of health care providers (such as big offenders Kaiser, Quest, and Walgreens), but keywords describing the types of offenses, such as “ex-boyfriend” or “organ donor.” Typing in “Facebook,” for example, reveals 43 violations (many by VA employees) for things like posting a photo of blood vials with patient’s names on them. In another case, a work-study student at the VA got into an argument with a patient on Facebook and then posted the veteran’s medical data in a post. There are 93 cases of ex-boyfriends looking up their former paramour’s medical records.
The Department of Health and Human Services, which enforces HIPPA, is not providing this information—at least not directly. Instead, ProPublica gathered it through a Freedom of Information Act (FOIA) request to the department’s Office of Civil Rights, as well as requests to the VA and the California Department of Public Health, which enforces the state’s own medical privacy laws. We asked HHS if it would consider providing its own public information portal on breaches in the future. “The HHS Office for Civil Rights has no comment with respect to your first question,” wrote public affairs advisor Rachel Seeger in an emailed reply.
(Regarding a second question we posed, HHS has vowed to take the recommendations of its own recent internal review to better track smaller data breaches and to repeat offenders.)
ProPublica then cleaned up the records and entered them into its own database. The data is neither comprehensive nor in real time, but it’s better than what government agencies provide. At least, it gives the public an idea of how our health care providers are doing.
I usually get my prescriptions from Walgreens, which ranks number three in violations, behind the VA and CVS. To be fair, the biggest violators are also generally the providers with the most patients—as ProPublica itself points out. Typing “Walgreens” into the search bar brought up its 183 violations, but not much insight. A typical entry says nothing concrete, for example:
Issue: Data not available.
Outcome: Technical assistance provided
Such generic data comes from the HHS Office for Civil Rights. As for the VA, it’s at least more thorough in documenting what went wrong, for example:
A work study was communicating with a Veteran Via Facebook. The employee and Veteran got into a dispute and the employee disclose information about the Veteran’s care in a post. The employee would likely access the patient record in the performance of their duties as a MSA.
The severity of offenses varies widely, from dumb mistakes like mailing a prescription to the wrong person to posting on Facebook that someone has a sexually transmitted disease and calling her a “hoe.”
With a tool like HIPPA Helper, at least the patients themselves can decide how serious a privacy breach is and whether they want to keep using a health care provider with a record of violations.