Few Consequences For Health Privacy Law’s Repeat Offenders
by Charles Ornstein and Annie Waldman, ProPublica
When CVS Health customers complained to the company about privacy violations, some of the calls and letters made their way to Joseph Fenity. One patient’s medication was delivered to his neighbor, revealing he had cancer. Another was upset because a pharmacist had yelled personal information across the counter.
Fenity worked on a small team at CVS Health that dealt with complaints directed to the company president’s office, assuring customers their situations were rare. “I sincerely apologize on behalf of CVS Health,” Fenity says he’d respond. “This is not how we handle things. The breach of your protected health information was an isolated incident and we’ll do better.”
In fact, Fenity learned — partly from battling CVS over the privacy of his own medical information — that was “a lie.”
CVS, headquartered in Woonsocket, R.I., is among hundreds of health providers nationwide that repeatedly violated the federal patient privacy law known as HIPAA between 2011 and 2014, a ProPublica analysis of federal data shows. Other well-known repeat offenders include the Department of Veterans Affairs, Walgreens, Kaiser Permanente, and Walmart.
And yet, the agency tasked with enforcing the Health Insurance Portability and Accountability Act took no punitive action against these providers, ProPublica found.
Continue reading on propublica.com » which also has:
- A “HIPAA Helper” app allowing users to look up whether a particular hospital, clinic, pharmacy or health insurer has been named in patient privacy complaints, breaches or violations
- Details on 10 “notable incidents” from California and elsewhere
- Links to other posts in ProPublica’s ongoing Policing Patient Privacy series, such as the previous installment, “The Consequences for Violating Patient Privacy in California? Depends Where the Hospital Is.”