A federal agency sends thousands of letters a year to health providers closing out complaints about HIPAA violations. Though the government could make those letters public, it doesn’t. Enter the Freedom of Information Act.

By Charles Ornstein

(Photo: John Moore/Getty Images)

When the federal government takes the rare step of fining medical providers for violating the privacy and security of patients’ medical information, it issues a press release and posts details on the Web.

But thousands of times a year, the Office for Civil Rights of the Department of Health and Human Services resolves complaints about possible violations of the Health Insurance Portability and Accountability Act quietly, outside public view. It sends letters reminding providers of their legal obligations, advising them on how to fix purported problems, and, sometimes, prodding them to make voluntary changes.

Case closed.

As part of its examination into the impact of privacy violations on patients, ProPublica has posted about 300 of these “closure letters” in our HIPAA Helper tool. The application allows users to review details of these cases and track repeat offenders. We obtained the letters under the Freedom of Information Act and this is the largest repository of them ever made public. (See a list of the letters.)

“We are never complacent about privacy matters and we constantly strive to address and reduce disclosure incidents by enhancing our training and safeguards.”

Most of the letters we’ve received were sent to two large providers, the Department of Veterans Affairs (VA) and CVS Health. They are the entities with the most privacy complaints that resulted in corrective-action plans or “technical assistance” provided by the Office for Civil Rights from 2011 to 2014. But there are also notices of privacy violations sent to Kaiser Permanente, Planned Parenthood, and the military’s health-care system.

Patients accused the providers of inadvertently, or, in some cases, deliberately, sharing their health information without their permission — a Texas facility, for instance, kept receiving faxes from CVS intended for a Hawaii doctor with the same name. The complaints sometimes alleged that employees snooped in patients’ files out of personal animus.

Currently, the government provides only vague summaries of the issues it investigates, without the specifics that could make the information useful, said Dennis Melamed, who publishes a newsletter and website on HIPAA compliance. The top five categories of complaints in 2014, according to the Office for Civil Rights website, were impermissible uses and disclosures, safeguards, administrative safeguards, access, and technical safeguards.

“We’re not really sure what’s going on,” Melamed said. “The terminology is confusing, it’s overlapping and it’s not consistent.”

Dr. Bill Brathwaite, a health information policy consultant who helped write the federal regulations implementing HIPAA, said he personally had only seen a few closure letters. The government, he said, has abstracted the lessons from its investigations “at too high a level for people to connect and say, ‘Those people are like me, I should pay more attention.’”

“The more information, the better,” Brathwaite said.

Deven McGraw, deputy director for health information privacy at the Office for Civil Rights, said her agency wants to put closure letters online but is constrained by its limited budget. In 2014, the most recent year for which data is available, it received more than 17,000 complaints, as well as tens of thousands of self-reported breaches of medical information.

Before closure letters can be released publicly, she said, the names of individual patients and other identifying information would have to be redacted.

“I do think it’s something that we should do but we have to figure out the best way to make that happen,” McGraw said. “It is something we’re working on.”

CVS and the VA have told ProPublica that they are committed to protecting patient privacy.

“We are never complacent about privacy matters and we constantly strive to address and reduce disclosure incidents by enhancing our training and safeguards,” CVS said in a statement last fall. The VA said at the time, “VA takes veteran privacy and the privacy of medical or health records very seriously.”

David Holtzman, who used to work at the Office for Civil Rights and is now vice president of compliance strategies for CynergisTek, a consulting firm, said the government does not have the money to catalog and archive closure letters. The Office for Civil Rights, whose budget has been flat for several years, should focus its resources on improving internal systems to detect and respond to privacy and security breaches instead, he added.

“To do this would cost money and it’s money they don’t have,” Holtzman said. “Each matter rests on its own merits and it is difficult to draw parallels from one case to another. There is going to be variability that is perhaps not captured in the black and white space of a closure letter.”

||

This story originally appeared on ProPublica as “The Secret Documents That Detail How Patients’ Privacy Is Breached” and is re-published here under a Creative Commons license.