Not all data breaches are reported or penalized equally. While some organizations face multimillion dollar fines for alleged HIPAA violations, HHS' Office for Civil Rights resolves thousands of complaints of potential violations without notifying the public, according to an investigation by ProPublica.
For example, HHS' OCR investigated two data breaches at Portland-baed Oregon Health & Science University, which agreed to a $2.7 million settlement reported last week. But "closure letters," obtained by ProPublica through the Freedom of Information Act, indicate the OCR often responds to HIPAA violation allegations with letters advising organizations how to address certain problems and outlining key legal requirements.
ProPublica has gathered roughly 300 of these letters and posted them online. The majority of the letters were sent to the Department of Veterans Affairs and CVS Health, which had the most privacy complaints resulting in corrective-action plans or "technical assistance" from the OCR between 2011 and 2014, according to the report.
One such report, dated Sept. 3, 2013, says "We have carefully reviewed your complaint against CVS Pharmacy, and have determined to resolve this matter informally through the provision of technical assistance to CVS Pharmacy. Should OCR receive a similar allegation of noncompliance against CVS Pharmacy in the future, OCR may initiate a formal investigation of that matter.
"Based on the foregoing, OCR is closing this case without further action."
Deven McGraw, deputy director for health information privacy at the OCR told ProPublica the agency wants to make more closure letters publicly available, but they don't have enough time or a wide enough budget to do so. All names and identifying information have to be redacted before closure letters can be made public, and when the agency receives more than 17,000 complaints in one year, as it did in 2014, resources are limited.
"I do think it's something that we should do but we have to figure out the best way to make that happen," Ms. McGraw told ProPublica. "It is something we're working on."
More articles on HIPAA:
ONC report highlights gaps in privacy, security of health data from wearables
HHS: Ransomware attacks considered breaches in most cases
Catholic Health Care Services agrees to $650,000 HIPAA violation settlement