ProPublica has launched a HIPAA compliance violation search engine to make it easier for consumers to find healthcare organizations that have violated patient privacy in the past. The ProPublica HIPAA Helper database allows individuals to find out who is repeatedly violating patient privacy and HIPAA Privacy and Security Rules.
Setting up the ProPublica HIPAA Helper Database
Determining which healthcare organizations have violated HIPAA Rules and exposed patient data or violated patient privacy is not a simple task. The Department of Health and Human Services’ Office for Civil Rights does list data breaches which have been self-reported by HIPAA-covered entities, although not all cases are publicly accessible.
Only data breaches affecting more than 500 individuals are listed on the OCR breach portal, even though HIPAA does require smaller data breaches to be reported on an annual basis. Then there are the complaints of privacy violations that are lodged with the OCR by employees and the general public.
The OCR breach reporting portal contains multiple entries from healthcare organizations listed under slightly different names, making searching for HIPAA violations difficult. When compiling the ProPublica HIPAA Helper database, breach reports and complaints were standardized. This ensures that a search for a covered entity brings up all breaches and HIPAA violations in the database.
In order to set up the database researchers first had to acquire data. This was compiled from numerous sources including the California Department of Public Health, the Department of Veteran Affairs, as well as the OCR. In the case of the latter, information about large-scale data breaches could easily be obtained. To find out about the complaints that had been filed ProPublica requested information from the OCR under the Freedom of Information Act. It received a PDF file containing 13,200 complaints spanning some 5,000 pages.
After obtaining and analyzing data contained in the PDF, it was possible to populate a database with details of data breaches and privacy violations from 2011 to 2014. Only healthcare companies were included. Individual practitioners’ names were not included in the data, although efforts are being made by ProPublica to also obtain that information.
An Easy Way to Check HIPAA Violations
The ProPublica HIPAA Helper can be used to search for violations committed by healthcare providers, and shows just how many violations have occurred. A list of the biggest HIPAA violators was produced, with the top five being: The Department of Veteran Affairs with 220 violations, CVS Health had 204 violations, followed by Walgreen with 183, Kaiser Permanente with 146, and Walmart with 71.
The data is useful and can be used by patients to determine where they should take their business, but it should be borne in mind that while the ProPublica HIPAA Helper provides data on violations, it does not put the figures into context. A small healthcare provider operating out of one location that has violated HIPAA on 4 occasions would potentially be more concerning than CVS Health. The company serves 5 million customers every day across its 68,000 retail network pharmacies, 7,900 CVS/pharmacy stores, and 1,000 MinuteClinic locations. It issues 1.7 billion prescriptions each year. That volume of transactions will undoubtedly result in some HIPAA violations being made. Consider those figures and the 220 violations over 4 years does not seem so bad.