The new HHS/OCR web site has added two three more breach reports:
Montefiore Medical Center
State: New York
Approx. # of Individuals Affected: 625
Date of Breach: 2/20/10
Type of Breach: Theft
Location of Breached Information: Laptop
Private Practice
City and State: San Antonio, Texas
Approx. # of Individuals Affected: 21,000
Date of Breach: 2/20/10
Type of Breach: Theft
Location of Breached Information: Portable Electronic Device
Aspen Dental Care P.C.
State: Colorado
Approx. # of Individuals Affected: 2,500
Date of Breach: 10/04/09
Type of Breach: Theft
Location of Breached Information: Other
None of these breaches had been reported in the media, to my knowledge, so this is the first we are learning of these incidents. Unfortunately, because of the type of summary HHS/OCR has chosen to provide, we do not know if any SSN or financial information were also involved in the breaches.
The second breach above highlights an issue I’ve raised on this blog before: private practitioners’ names are being shielded. Here you have a practitioner who has a device with unsecured protected health information on 21,000 patients stolen, and we are not told who that is. If you lived in San Antonio, wouldn’t you want to know whether a doctor you were considering using had left PHI unsecured?
As reported previously, OCR told me that they had no choice but to shield names because of the Privacy Act of 1974, but that still seems to clash with the clear intent of Congress. A private practitioner is a business entity, regardless of whether they use their SSN or a Tax ID and regardless of whether they incorporate or not. They should have the same exposure and accountability as all other HIPAA/HITECH-covered entities in this regard.
I put in a call to a member of Congress yesterday about this issue and will follow up.
It seems that using the new HHS/OCR web site will be even more difficult to use than I anticipated, as they are sorting breach reports by the date of breach, not date that the incident was added to their site, so I have to review the entire list to see what’s been added instead of just looking for what’s new at the top of the list.
In any event, here are six more breach reports that have been added to their web site, below. Other breaches that have been recently added to their site were already reported in the media. These are just the ones we didn’t know about already:
North Carolina Baptist Hospital
State: North Carolina
Approx. # of Individuals Affected: 554
Date of Breach: 2/15/10
Type of Breach: Theft
Location of Breached Information: Paper Records
University of New Mexico Health Sciences Center
State: New Mexico
Approx. # of Individuals Affected: 1,900
Date of Breach: 2/08/10
Type of Breach: Other
Location of Breached Information: Desktop Computer
Lucille Packard Children’s Hospital
State: California
Approx. # of Individuals Affected: 532
Date of Breach: 1/11/10
Type of Breach: Other
Location of Breached Information: Desktop Computer
Advanced NeuroSpinal Care
State: California
Approx. # of Individuals Affected: 3,500
Date of Breach: 12/30/09
Type of Breach: Theft, Loss
Location of Breached Information: Network Server, Desktop Computer
Brown University
State: Rhode Island
Business Associate Involved: Blue Cross Blue Shield of Rhode Island
Approx. # of Individuals Affected: 528
Date of Breach: 12/11/09
Type of Breach: Unauthorized Access
Location of Breached Information: Paper Records
Center for Neurosciences
State: Arizona
Approx. # of Individuals Affected: 1,101
Date of Breach: 12/15/09
Type of Breach: Theft
Location of Breached Information: Laptop
Over on the Los Angeles Times, David Lazarus raises an issue that I raised here last week: the fact that some breaches on the Office of Civil Rights’ (OCR’s) list of breached covered health care entities shield the entity’s name and merely lists the entity as “Private Practice.” Referring to the breaches posted on OCR’s web site, David writes:
In the [five] Sept. 27 Torrance cases, for example, were the doctors in the same office? Were they in the same building? Did they share a single computer? Did they share office staff? Or was it just a fluke that five local doctors’ offices were hit by cyber-thieves on the same day? More to the point, were people’s Social Security numbers involved? What about billing information? The Health and Human Services database doesn’t include this information. Nor does it identify the doctors involved.
All good points. But the HITECH Act does not seem to require HHS to post all the data they receive about a breach (breached entities use the reporting form at http://transparency.cit.nih.gov/breach/index.cfm if you want to see what information HHS requires entities to provide). Ironically, perhaps, the transparency in the url doesn’t extend to sharing the information with the public openly. David obtained a statement from Georgina Verdugo, Director of the HHS Office for Civil Rights who reportedly said:
The main point of the law is not to put notices up on the website. It’s to trigger a regulatory investigation.
Oh really? I thought that the main point of the part of the law requiring HHS to post a list on its web site was to inform the public. HHS does not need a web site to investigate breach reports they get. We, the people, need the web site so that we can see whether those we may have entrusted with our protected health information have been worthy of that trust and to have information available to assist us in choosing our health care providers or insurers if the security and privacy of our health information is important to us. HITECH was supposed to give us greater protections, assurances that we will be notified of compromise of our unsecured protected health information, and greater transparency. Although OCR’s list may be better than having nothing, it really does not provide sufficient information. Because OCR is taking the position that it cannot reveal the private practitioner’s names without their consent, I will probably have to file under Freedom of Information and then appeal the ruling. Hopefully, some of the organizations who fight for transparency and access to public records will either join me or take over as they have more knowledge and resources to fight this than I do.
The public list of breaches reported to HHS under the HITECH Act was updated to add two entries. Both entries are associated with the same business associate: MSO of Puerto Rico. I do not see anything on the web sites of the covered entities or the business associate about the incident nor did I see any press release in any of the major media outlets I routinely check for breach-related news.
PMC Medicare Choice
State: New York
Business Associate Involved: MSO of Puerto Rico
Approx. # of Individuals Affected: 605
Date of Breach: 2/04/10
Type of Breach: Other
Location of Breached Information: Paper Records
MMM Health Care Inc.
State: New York
Business Associate Involved: MSO of Puerto Rico, Inc.
Approx. # of Individuals Affected: 1,907
Date of Breach: 2/04/10
Type of Breach: Other
Location of Breached Information: Paper Records
While it is encouraging to see OCR updating the site in a timely fashion, we still do not know what types of information were involved nor how the breach occurred. Did an insider steal records, were they destroyed insecurely, was there a burglary? And how can we evaluate the risk? Did the paper records contain SSN, credit card information, diagnoses, treatment codes, Medicare Identification Numbers, or what? HHS is receiving this information from the entities but the HITECH Act does not require HHS to make all of the details publicly available on their site. It merely requires that a list of breached entities be posted.
I have not yet received an answer to my follow-up questions to OCR about the shielding of private practitioner’s names and public records nature of these breach reports, so there is nothing new to report on that front other than that I consider this a very important issue that goes to the core of open records. As a matter of public policy and decision-making, we need to know more about what is going on so that we can learn from it and develop better strategies for protecting the privacy and security of patients’ records.
This week, the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) began posting summaries of breach reports it has received as newly mandated by the HITECH Act.
In commenting on the breaches, this site observed that some breaches simply stated “Private Practice” instead of the name of the breached entity. Because the intent of the breach disclosure and notification requirements in HITECH was that breaches would be disclosed to the media AND to HHS who would post information on their site, such shielding seemed inappropriate and inconsistent with both the statute and intent of Congress.
In response to an inquiry from this site as to why OCR had shielded entities’ names that way, OCR sent the following statement:
The Privacy Act of 1974, at 5 U.S.C. 552a, protects records that can be retrieved by personal identifiers such as a name, social security number, or other identifying number or symbol. Therefore, OCR cannot disclose the names or other identifying information about private practitioners without their written consent.
Oh really? Even if Congress enacted legislation to mandate just that? Why did Rick Lawson have his name listed as an involved Business Associate for one breach, but a private practitioner does not have his or her name listed? And how can the public be aware of which covered entities might place their data at risk if names are shielded? OCR’s approach or application of the Privacy Act seems to give greater protection from reputational harm to covered entities who do business under their own names than to covered entities who have corporate names.
Although I genuinely appreciate OCR’s prompt reply, I am not satisfied with their response nor with the fact that their summaries do not include important information such as the type of records exposed in each breach. As a result, I have written to them again and have also reached out to some other organizations that are concerned about transparency and the intent of Congress in enacting HITECH. Expect to see more about this issue on this site at some point.
Comments Off 
Themocracy