VA, CVS Health receive most OCR closure letters for HIPAA complaints

The Department of Veterans Affairs and CVS represent the two entities that have received the most HIPAA complaints resulting in corrective-action plans or technical assistance from the Health and Human Services Department's Office for Civil Rights, according to a ProPublica report.

ProPublica, in 2015, created a HIPAA Helper website that allows users to search for data breaches, privacy complaints or HIPAA violations by specific healthcare facilities, providers or payers.

Now, the publication has posted 300 “closure letters” sent between 2011 and 2014 by OCR; the information was obtained through Freedom of Information Act requests.

CVS Health received more than 100 letters in that time frame, and the VA received a little more than 140.

The OCR letters remind “providers of their legal obligations, advising them on how to fix purported problems, and, sometimes, prodding them to make voluntary changes,” according to the report.

Some of the complaints to which the letters were responding included faxes going to the wrong doctor or employees snooping in patients’ files, ProPublica noted.

Last year, ProPublica also called out the VA and CVS, as well as Walgreens, Kaiser Permanente and Walmart, for receiving repeated HIPAA complaints.

Deven McGraw, deputy director for health information privacy at OCR, told the publication that more closure letters are not posted online because of budgetary restraints. In 2014, OCR received more than 17,000 complaints.

“I do think it’s something that we should do, but we have to figure out the best way to make that happen,” McGraw said. “It is something we’re working on.”

Representatives from CVS and the VA previously told ProPublica that privacy and security of patient information is very important, according to the article.

To learn more:
- read the report
- check out the closure letters