Small-Scale Violations of Medical Privacy Often Cause the Most Harm

Eggeson said it’s distressing that more states aren’t like Indiana.

“Privacy protections should be the same regardless of what state you’re in,” he said. “There is something wrong with an employer providing the means, providing the access, and providing the tools by which an employee can commit this crime and then being able to hold up their hands and say, ‘It’s not our fault.'”

Small breaches get less attention

The vast majority of the Office for Civil Rights’ enforcement work has been directed at large-scale medical data breaches, whether or not they result in any demonstrable real-world harm.

Health providers are required to notify the office within 60 days of breaches affecting at least 500 people and also must share details with the media and contact those potentially affected. OCR’s website makes public a list of these cases, highlighting them on what industry insiders dub the Wall of Shame.

Several massive breaches have come to light this year: In February, Anthem Inc. disclosed that hackers had accessed records of nearly 80 million people. The following month, Premera Blue Cross, based in the Pacific Northwest, disclosed that a similar cyberattack had exposed the records of some 11 million people.

OCR is investigating these cases — and similar ones — though the companies say there’s been no evidence that victims’ data has been shared or exploited.

Rarely do small privacy breaches get anywhere near the same attention, except when they involve celebrities or high-profile individuals.

Organizations only have to report them to OCR once a year. Even then, the agency doesn’t post them online and HHS has rejected requests under the Freedom of Information Act for information about them.

HHS is supposed to submit annual reports to Congress about the number and nature of medical privacy breaches and the actions it has taken in response. But the department actually submits such reports every two years and its most recent one covered 2011 and 2012. OCR says another report will be coming soon.

Since 2009, OCR has received information about 1,400 large breaches. During the same time, more than 181,000 breaches affecting fewer than 500 individuals have been reported.

The agency has levied only a few fines for HIPAA violations that involved a small numbers of people. Among them: In 2008, UCLA Health System agreed to pay $865,500 for failing to protect the privacy of two celebrity patients. And in 2013, Shasta Regional Medical Center in California paid $275,000 for sharing medical information with news organizations and employees about a patient who was featured in a news article alleging potential Medicare fraud.

In September, the HHS inspector general issued a pair of reports that criticized the Office for Civil Rights, including its handling of small breaches. The inspector general said OCR did not investigate the small breaches reported to it or log them in its tracking system.

“OCR does not record that information and therefore it’s not available for staff to be able to look over time” for repeat offenders, said Blaine Collins, regional inspector general for evaluation and inspections in San Francisco. “Boy, that’s critical for monitoring and oversight.”

Samuels said that her agency is implementing the inspector general’s recommendations to improve oversight. “We are constantly looking for ways to better serve the public and improve our operations,” she said.

‘An act of vengeance and retaliation’

Peter Brabeck, a 73-year-old retired petrophysicist who worked for the oil giant BP, turned to OCR in September 2011 when he found himself in the midst of a nightmare.

It began a year earlier when Brabeck’s brother complained to the Medical Board of California that Dr. Steven Mangar, a pain doctor in Salinas, California, had overprescribed controlled substances to Peter. The medical board accused Mangar of prescribing drugs without examining Peter Brabeck and sought to take disciplinary action against his license.

Mangar reacted by hiring a private investigator to dig up dirt on Brabeck — and gave the investigator all of Brabeck’s medical records. When Mangar refused to pay the investigator, he approached Brabeck’s brother and showed him the records. The investigator then offered to sell the records to Peter Brabeck, who within days complained to the Office for Civil Rights.

“Here we have not only a gross violation of [HIPAA] laws protecting the confidentiality of every patient’s medical history, but in my mind far worse,” Brabeck wrote in his complaint. “Here is a deliberate attempt, born of vengeance, with malice aforethought to inflict great harm on his own patient.”

Two years later, the Office for Civil Rights wrote back, saying it was “pleased to inform” Brabeck that his complaint has been resolved. It said it had provided Mangar’s clinic, the Pacific Pain Care Institute, with guidance on how to comply with privacy rules. It said Mangar had acknowledged that he “impermissibly disclosed” Brabeck’s personal health information to the private investigator.

OCR also said that Mangar had agreed to provide Brabeck with free credit monitoring.

“Based on the foregoing, OCR is closing this case without further action,” the letter said.

Brabeck, who lives near Carmel, California, said he never actually received the credit monitoring. More importantly, he was left with a sense that the agency didn’t take his case seriously.

“I made very clear in my letter that it was an act of vengeance and retaliation,” he said. “That’s why I was so surprised at how lightly they dismissed the whole thing.”

Even the private investigator who asked Brabeck’s brother for money was surprised by the outcome of the case.

“In all my years in the business, I never experienced anything like that where a complete file was turned over,” said Dan Taubman, who said he is still owed $6,800 by Mangar. “He didn’t care who he hurt or burned.”

Mangar did not return calls for comment. California’s medical board placed his license on probation in 2012 and is now seeking to revoke it, saying he violated his probation and provided negligent care to other patients. Earlier this year, federal and state investigators served search warrants at Mangar’s office and home. Monterey County Deputy District Attorney Amy Patterson said Brabeck’s concerns are part of a much broader investigation that she could not discuss because it is ongoing.

OCR director Samuels said Brabeck’s case pre-dated her arrival at the agency. But she said it was consistent with “our general principles” in terms of the nature of the injury, the number of individuals affected and a provider’s lack of prior HIPAA violations. She also said the doctor agreed to apologize, which “can be very powerful in terms of remedying the damage that has been done.”

Brabeck said he didn’t get an apology: “No. Absolutely not.”

Warning employees before they snoop

Cedars-Sinai Medical Center in Los Angeles is trying to stop privacy breaches before they happen. Known for its celebrity clientele — its board of directors includes Barbra Streisand and Steven Spielberg — Cedars-Sinai has dealt repeatedly with employees trying to access records they have no business seeing.

In July 2013, the hospital fired six people who inappropriately accessed patient records, reportedly including those of reality TV star Kim Kardashian, who had given birth at the hospital to her daughter with rapper Kanye West.

The hospital fired three employees and took corrective action against three other people last year for inappropriately accessing patient information; it terminated two more workers this year, spokesman Richard Elbaum said.

Like other hospitals, Cedars-Sinai’s electronic medical records system has a feature known as “break the glass.” When an employee attempts to access information on high-profile patients, the system asks for a reason and requires the employee to re-enter his or her password.

That generally works, but such a warning isn’t in place for every record, in part because officials in the information security world fear it would be ignored if it were seen merely as a second password requirement. For typical patients, it generally takes a complaint to trigger a review of the transaction log to see if anybody inappropriately accessed a record.

Cedars-Sinai is working with security specialists to augment its first layer of protection. Its goal: To create a warning system that generates automatic alerts based on pattern recognition, akin to what credit-card companies use to flag suspicious transactions.

The system will sift through the hospital network’s traffic, looking for unusual activity. It might flag an obstetrician/gynecologist looking at the records of male patients or a staff member who looks at six medical records in quick succession. It might notice a staff member looking at the records of a neighbor. Or it might recognize that one staffer has looked at 20,000 records in a month when peers only viewed 3,000.

“Maybe they deserve a raise — or something is awry,” said Darren Dworkin, chief information officer at Cedars-Sinai Health System.

Cedars-Sinai, the largest acute-care hospital in California, hopes to make the system live within the next six months. Cedars-Sinai and Dworkin have received a patent on the idea.

“Rather than have to report to a patient I’m sorry this happened, wouldn’t it be better if we had real-time tools that asked you, ‘Are you sure you want to do this?’ Maybe sometimes that gentle reminder can stop something before it happens,” Dworkin said.

One day, Dworkin said, such technology could become routine in health care — and organizations could be fined for not using it. “I can see a time when this stuff becomes the standard operating procedure,” he said. “I hope it does.”

NPR reporter Alison Kodjak contributed to this report.

This story is part of a yearlong examination into how secure medical privacy is. Has your medical privacy been compromised? Help ProPublica investigate by filling out a short questionnaire. You can also read other stories in our Policing Patient Privacy series.

ProPublica is a Pulitzer Prize-winning investigative newsroom.