by Charles Ornstein and Annie Waldman
ProPublica, Dec. 29, 2015, 4 a.m.
Few Consequences For Health Privacy Law’s Repeat Offenders.
Regulators have logged dozens, even hundreds, of complaints against some health providers for violating federal patient privacy law. Warnings are doled out privately, but sanctions are imposed only rarely. Companies say they take privacy seriously.
The VA was the most persistent HIPAA violator in the data. Time and again, records show, VA employees snooped on one another and on patients they weren’t treating. One employee accessed her ex-husband’s medical record more than 260 times. Another employee peeked at the records of a patient 61 times and posted details on Facebook. A third improperly shared a vet’s health information with his parole officer.
All told, VA hospitals, clinics and pharmacies violated the law 220 times from 2011 to 2014. For this story, ProPublica counted as violations those complaints that resulted in either corrective-action plans submitted by a health provider or “technical assistance” provided by the Office for Civil Rights on how to comply with the law.
The VA has never been called out publicly by the Office for Civil Rights or sanctioned for its string of violations.
The VA would not make an official available for an interview, but said in a written statement that it “takes veteran privacy and the privacy of medical or health records very seriously.”
“The challenges VA is facing are similar to those experienced across public and private sectors, and we are continuously striving to better protect veteran data,” its statement said, adding that it provides training to staff, investigates complaints and conducts audits of who accesses health records.
Some privacy problems—whether inadvertent or the deliberate acts of rogue employees—are to be expected. But repeated complaints may signal organizational failures, experts say.