The Dept. of Health and Human Services’ so-called HIPAA Wall of Shame is meant to capture all manners of sins when it comes to HIPAA violations, from breaches caused by unauthorized access to those involving stolen laptops. But while the Wall of Shame is a worthy database, it doesn’t tell the whole story, in part because it only concerns violations reported to the OCR and organizations whose breaches impact 500 or more patients.
On the heels of its investigative work to show that there are few consequences for HIPAA repeat offenders, Pro Publica has stepped up to provide consumers with a fully searchable tool to determine whether your hospital, clinic, pharmacy or health insurer has been named in any patient privacy complaints, breaches or violations—no matter how small. In addition to data from OCR, the database also draws on information from the California Department of Public Health and the U.S. Department of Veterans Affairs.
Data—and proper context—is essential to understanding proper security measures. Hundreds of HIPAA violations occur each year. While the major breaches—like the ones at Anthem and Premera—get plenty of press, some of the most damaging ones are much smaller. In 2015, more than 256 breaches affecting 500 or more patients were reported to HHS. These incidents, taken together, affected more than 113 million patients.
So this database, which uncovers in no uncertain terms how organizations have fallen short, is welcome progress. And lest we forget how sensitive the information is that gets leaked in a HIPAA violation, the Pro Publica team has also compiled a “worst-of” selection of anecdotes that perfectly illustrates just what’s at stake.
For example, a nurse told the father of one patient, who was a minor, that his daughter was pregnant before she had the chance to tell him herself. Another gave a patient the wrong placenta. A male VA employee was allegedly dating or wanted to date a female patient and accessed her records.
The database also points out organizations that incurred numerous violations since 2011, like Kaiser Permanente, Quest Diagnostics, Walgreens, and Walmart, so consumers are better informed about the potential risks they undertake in interacting with them.
In all, Pro Publica’s database is a massive step forward in arming patients with the knowledge they need. If healthcare organizations and their business associates won’t protect their patients’ information, then at least patients can know which organizations to avoid them.