Health Information Management

Privacy Act protects some practices with patient data breaches

HIM-HIPAA Insider, April 19, 2010

OCR cited a 36-year-old privacy law as the reason why it cannot post on its breach notification Web site the names of private practitioners who report breaches of unsecured PHI affecting 500 or more individuals.

A spokesperson from OCR writes in an e-mail to HIPAA Update that OCR considers private practitioners who report these major breaches of unsecured PHI to be “individuals” as defined by the Privacy Act of 1974.

Therefore, these “individuals” can stop OCR from posting their names on its breach notification Web site if the “individual” does not provide written consent. In those cases, OCR lists the entities as “private practice.”

“It is the legal opinion of HHS that the names of private practitioners are identifiable as ‘individuals,’ as defined by the Privacy Act of 1974,” a spokesperson from OCR writes to HIPAA Update.

As of April 16, 64 entities had reported breaches of 500 or more. OCR listed eight of those as “private practice.” That doubles the initial report of 32 reporting entities when OCR made its Web site public in late February.

Read more on HIPAA Update.

Most Popular