The Office for Civil Rights (OCR) cannot post the names of entities that report breaches of unsecured personal health information affecting 500 or more individuals unless the entity gives it written consent, OCR tells HealthLeaders Media.
In cases where OCR does not have written consent, it will cite the entity on its Web site as "private practice." This method has led industry insiders to question OCR, says Kate Borten, CISSP, CISM, president, The Marblehead (MA) Group.
Per the HITECH, OCR must post "a list that identifies each covered entity" that reports breaches of 500 or more.
However, of the 44 organizations listed on the Web site as of Friday, seven are cited by OCR as "private practice."
"Under current Privacy Act restrictions," OCR writes to HealthLeaders Media in an e-mail, "OCR may not disclose the names or other identifying information about private practitioners without their written consent."
Five of those "private practices" are from the same city on the same date—Torrance, CA, September 27, 2009—but each post with a different number of individuals affected. The highest number of affected individuals is 6,145. The other two "private practices" are out of Stoughton, MA, and Wilmington, NC.
Borten says listing private practice "defeats the purpose of public posting. I doubt this is what Congress had in mind."
Since September, of the 44 entities that have reported such large breaches, 10 involved business associates (BAs). It is not clear whether the "private practices" are BAs or covered entities.
The most egregious breach case came from Blue Cross Blue Shield of Tennessee, which affected 500,000 as a result of stolen hard drives, OCR reported on its Web site.
Following Blue Cross Blue Shield is AvMed, Inc., a Gainesville, FL, health plan. A stolen laptop on December 10, 2009, resulted in a reported breach affecting 359,000 individuals, according to OCR.
Borten says she's also concerned that the Web site posting of the breaches of 500 or more is hard to find. To get to the 500 list, users must click "New Breach Notification Web Pages" on the privacy home page. From there, the link to the 500 list is on the bottom right-hand corner.