Health Information Management

Industry insiders question not revealing violators of health information breaches

HIM-HIPAA Insider, March 29, 2010

The Office for Civil Rights (OCR) cannot post the names of entities that report breaches of unsecured personal health information affecting 500 or more individuals unless the entity gives it written consent, OCR says.

In cases where OCR does not have written consent, it will cite the entity on its Web site as “private practice.” This method has led industry insiders to question OCR, says Kate Borten, CISSP, CISM, president, The Marblehead (MA) Group.

Per the HITECH, OCR must post “a list that identifies each covered entity” that reports breaches of 500 or more.

However, of the 44 organizations listed on the Web site as of last week, seven are cited by OCR as “private practice.”

“Under current Privacy Act restrictions,” an OCR representative writes in an e-mail to HIPAA Update, “OCR may not disclose the names or other identifying information about private practitioners without their written consent.”

Read more on HIPAA Update.


Most Popular