Over on the Los Angeles Times, David Lazarus raises an issue that I raised here last week: the fact that some breaches on the Office of Civil Rights’ (OCR’s) list of breached covered health care entities shield the entity’s name and merely lists the entity as “Private Practice.” Referring to the breaches posted on OCR’s web site, David writes:
In the [five] Sept. 27 Torrance cases, for example, were the doctors in the same office? Were they in the same building? Did they share a single computer? Did they share office staff? Or was it just a fluke that five local doctors’ offices were hit by cyber-thieves on the same day? More to the point, were people’s Social Security numbers involved? What about billing information? The Health and Human Services database doesn’t include this information. Nor does it identify the doctors involved.
All good points. But the HITECH Act does not seem to require HHS to post all the data they receive about a breach (breached entities use the reporting form at http://transparency.cit.nih.gov/breach/index.cfm if you want to see what information HHS requires entities to provide). Ironically, perhaps, the transparency in the url doesn’t extend to sharing the information with the public openly. David obtained a statement from Georgina Verdugo, Director of the HHS Office for Civil Rights who reportedly said:
The main point of the law is not to put notices up on the website. It’s to trigger a regulatory investigation.
Oh really? I thought that the main point of the part of the law requiring HHS to post a list on its web site was to inform the public. HHS does not need a web site to investigate breach reports they get. We, the people, need the web site so that we can see whether those we may have entrusted with our protected health information have been worthy of that trust and to have information available to assist us in choosing our health care providers or insurers if the security and privacy of our health information is important to us. HITECH was supposed to give us greater protections, assurances that we will be notified of compromise of our unsecured protected health information, and greater transparency. Although OCR’s list may be better than having nothing, it really does not provide sufficient information. Because OCR is taking the position that it cannot reveal the private practitioner’s names without their consent, I will probably have to file under Freedom of Information and then appeal the ruling. Hopefully, some of the organizations who fight for transparency and access to public records will either join me or take over as they have more knowledge and resources to fight this than I do.
I don’t understand why the name of a private practitioner can’t be truncated and the details revealed. That doctor’s patients will be notified but we need to help see patterns. My other concern is that I know there are other breaches that should have been on that list. Are they hiding under the “risk of harm” clause? Companies deciding if risk of harm is a problem. It provides a shield. Only a federal law enforcement agency should have power to say there is no risk of harm. Companies must have some strange Crazy 8 balls they shake- Risk of harm: no way, undoubtable no, don’t ask-don’t tell. Unfortunately it is not a carnie game to those of us whose information may be exposed.