Health providers that face repeated complaints for HIPAA violations rarely face consequences, according to a new ProPublica report.
From an analysis of federal data, ProPublica names the top repeat offenders, which include the U.S. Department of Veterans Affairs, Walgreens, CVS, Kaiser Permanente and Walmart. The companies say they take patient privacy seriously.
In more than 200 instances in the data analyzed between 2011 and 2014, the HHS Office for Civil Rights, for instance, reminded CVS of its obligations under the law or accepted its pledges to do better. The story notes that CVS did pay a $2.25 million penalty in 2009 for dumping prescription bottles in unsecured dumpsters.
"The patterns you've identified makes a person wonder how far a company has to go before HHS recognizes a pattern of noncompliance," Joy Pritts, former chief privacy officer for the Office of the National Coordinator for Healthcare Information Technology, tells ProPublica.
The story cites the VA as the most persistent HIPAA violator with 220 incidents, including multiple instances of unauthorized employee snooping on patient records. Yet OCR has never made public any enforcement actions against the agency.
ProPublica also has created an online tool called HIPAA Helper that allows users to search for data breaches, privacy complaints or HIPAA violations by specific healthcare facilities, providers or payers.
It aggregates data from OCR, the VA and the California Department of Public Health, which enforces California's medical privacy laws.
ProPublica has previously reported that few healthcare organizations are fined for HIPAA violations. And earlier in December, it detailed how OCR has rarely imposed sanctions for small-scale privacy breaches that caused lasting harm.