Some of Health Care's Biggest Names Also Top HIPAA Violators, Investigation Finds

Some of the biggest names in healthcare—CVS, Kaiser Permanente, Walgreen’s, and Veterans Administration (VA)—are also the nation’s top violators of the law to protect patient privacy, according to an investigation by the public interest journalism organization, ProPublica.

The investigative series revealed that top retail pharmacy chains, health plans, and the VA routinely violate the Health Insurance Portability and Accountability Act (HIPAA), both through sloppy mistakes and rogue acts of spying. What’s worse, the investigation finds, is that repeat offenders face little likelihood of enforcement to the maximum permitted under the law.

The HHS Office of Civil Rights issues only a handful of fines—fewer than 30 since 2009—on the more than 18,000 HIPAA complaints it receives each year. (CVS did pay a $2.25 million fine in 2009 for tossing prescription bottles in a dumpster, but it still had more than 200 complaints between 2011 and 2014, according to an analysis in the report.)

What kinds of violations occur? Cases reviewed by ProPublica included honest but distressing errors, such as delivering cancer medication to the wrong address.

Worse are the purposeful, intrusive lapses such as sharing patient photos on Snapchat, or the male VA worker who allegedly used records to look up information on a patient he wanted to date. ProPublica found that the HHS Office of Civil Rights has enormous discretion under HIPAA—it can settle cases quietly, which seems to be the modus operandi—or it can impose finds of up to $50,000 per violation, up to a maximum of $1.5 million per year.

Criminal charges are possible in the most egregious cases, and complaints can be posted online if patient information is withheld. The investigation quotes Deven McGraw, deputy director of health information privacy at the Office of Civil Rights at HHS, who said the agency focuses on cases that involve at least 500 people but it could do more. She thinks it should.

“Often, when we take a look into those breaches, what we find is that they were not accidents. What contributed to the break of thousands, if not tens of thousands of records, was systemic noncompliance … over a period oftentimes of years.”

The top offender during the period examined by ProPublica is another agency of government: the VA. Against the backdrop of all its other problems—huge backlogs in scheduling patients and falsified reports—were incidents like these:

• One VA employee improperly accessed her ex-husband’s medical records more than 260 times.
• Another VA employee accessed a patient record 61 times and posted some details on Facebook.
• A veteran’s health information was improperly passed along to his parole officer.

Spokespersons for the VA and CVS told ProPublica they took issues of patient privacy very seriously. But other experts questioned how many incidents it would take for HHS to recognize a pattern of noncompliance.