Kyle Lawson reports on a case involving Monroeville, Pennsylvania that I’ve followed on this blog over the past few years. As I had noted, although I thought there was a privacy violation, it wasn’t clear to me whether the services involved were HIPAA-covered entities. It turns out they weren’t. Lawson reports:
[HHS’s] investigation found that neither the dispatch center, police department or fire department are health care providers, health plans or health care clearinghouses, and therefore are not covered by the Health Insurance Portability and Accountability Act, according to the letter.
Read more on TribLive. The Pittsburgh Post-Gazette also covers the finding and has uploaded a copy of HHS’s closing letter.
In this case, then, it’s accurate to say that there’s no violation of HIPAA only because HIPAA doesn’t apply. I do not think it is appropriate to say that there has been no violation of privacy, and investigators hired by the town did find concerns in that regard. In other words, I disagree with Municipal Manager Timothy Little, who is quoted in the Post-Gazette as saying:
“I think it lifts a cloud off of Monroeville, and specifically the public safety aspect of the municipality, that there wasn’t any wrongdoing with respect to [health privacy law] violations,” Mr. Little said.
To the contrary, I think there was substantial wrong-doing in terms of privacy, and HHS even noted problems they observed, but HIPAA doesn’t cover the agencies.
Keep in mind that because they are not a HIPAA-covered entity, the involved agencies were also not subject to HIPAA’s Security Rule. In this case there were reported security as well as privacy concerns about access not being appropriately restricted to those who had a need to know. There were also security concerns about access to the police database.
So this is one of those situations where people’s information can really be at risk of improper exposure or breaches and yet there is no clearly applicable federal law that covers the situation. There is however, a Pennsylvania law restricting access to the criminal history database the police use, and an audit by the state’s attorney general had found Monroeville in violation.
From the getgo, this case’s serious privacy and data security concerns became ensnarled in local politics. And that’s a shame, because had the concerns raised been professionally and promptly addressed, the drama and job demotions and firings likely could have been avoided and the privacy and security of Monroeville’s residents would have been better protected sooner.