This week, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) began posting summaries of breach reports it has received as newly mandated by the HITECH Act.
In commenting on the breaches, this site observed that some breaches simply stated “Private Practice” instead of the name of the breached entity. Because the intent of the breach disclosure and notification requirements in HITECH was that breaches would be disclosed to the media AND to HHS who would post information on their site, such shielding seemed inappropriate and inconsistent with both the statute and intent of Congress.
In response to an inquiry from this site as to why OCR had shielded entities’ names that way, OCR sent the following statement:
The Privacy Act of 1974, at 5 U.S.C. 552a, protects records that can be retrieved by personal identifiers such as a name, social security number, or other identifying number or symbol. Therefore, OCR cannot disclose the names or other identifying information about private practitioners without their written consent.
Oh really? Even if Congress enacted legislation to mandate just that? Why did Rick Lawson have his name listed as an involved Business Associate for one breach, but a private practitioner does not have his or her name listed? And how can the public be aware of which covered entities might place their data at risk if names are shielded? OCR’s approach or application of the Privacy Act seems to give greater protection from reputational harm to covered entities who do business under their own names than to covered entities who have corporate names.
Although I genuinely appreciate OCR’s prompt reply, I am not satisfied with their response nor with the fact that their summaries do not include important information such as the type of records exposed in each breach. As a result, I have written to them again and have also reached out to some other organizations that are concerned about transparency and the intent of Congress in enacting HITECH. Expect to see more about this issue on this site at some point.
Interesting that the dentists, Ashley and Grey, were mentioned by name. I guess they don’t have the same clout as the physicians.
I wonder if they incorporated or are LLC or something. If it’s their business name, OCR may have felt that they had to use it.
Advantage to those who don’t incorporate?