HIPAA violators get few penalties for trashing your privacy
Indiana is one of the worst states in the nation for major security breaches involving your health care records. What happens to companies that fail to protect your private information? 13 Investigates shows you why the people and corporations that break the law and violate your privacy often get away with it ... with no penalty at all.
INDIANAPOLIS - No one realized it at the time, but the robbery of a Bloomington grandmother eventually cost drug stores millions of dollars.
A drug addict went to Margie Kerr's front door and, posing as a pharmacy worker, he stole the grandmother's pain medication right out of her hand. Police say the thief tracked Margie down after finding her prescription records inside an unsecured dumpster in the parking lot of her CVS pharmacy.
Following the incident, 13 Investigates checked pharmacy dumpsters across Indiana to see if the problem was widespread. At drug store after drug store, WTHR found Hoosiers' private health care records simply thrown in the trash.
The discovery prompted Eyewitness News to expanded the 2006 investigation to a dozen other cities across the nation. From Boston and Miami to Denver and Phoenix, 13 Investigates exposed more drug store dumpsters left wide open and full of protected health information.
The nation's three largest pharmacy chains – Walgreens, CVS and Rite Aid – were jeopardizing the privacy of millions of Americans.
Customers were outraged, and the federal government took notice.
After seeing WTHR's "Prescription Privacy" investigation, the U.S. Department of Health and Human Services issued $3.25 million in fines against CVS and Rite Aid.
The penalties are among the largest in U.S. history for failing to protect customers' health care privacy – and they are very rare.
More than six years after the investigation, there is still no penalty for Walgreens.
Despite bags full of proof that the nation's largest drug store chain violated customer privacy, its own corporate policies and longstanding federal law, the government's case against Walgreens appears to be stalled – and perhaps forgotten – in Washington.
The case is reminiscent of a much larger problem: a well-intentioned national health care privacy law that is often broken but seldom enforced with any real punishment.
Thousands of violations
When Congress passed the Health Insurance Portability and Accountability Act in 1996, it was considered a major win for consumers. The law, better known as HIPAA, protects the privacy of an individual's health information and governs the way health care providers collect, maintain, use and disclose protected health information (PHI).
"It's a good law and an important law," explains Joan Antokol, an attorney who specializes in health care privacy. "It was supposed to protect the little guy and make sure health care providers are being responsible with your private information."
Since the federal government began enforcing HIPAA in April 2003, the health department's Office for Civil Rights has received more than 75,000 formal complaints about alleged violations.
Investigators have determined about 18,000 of those cases involved actual privacy violations that required corrective action.
But despite those 18,000 violations, OCR has issued only 11 monetary penalties against the companies and individuals that broke federal law.
For those who fall victim to careless or reckless health care providers, it's a harsh reality: a tiny fraction of companies that violate HIPAA will face punishment, and many of the cases drag on for years without resolution.
"Like there's no law at all"
Four years ago, Todd Murashige was attacked by a shark while surfing off the coast of Hawaii.
"There was no splash, no fin, no nothing," recalls Murashige. "I just went ‘Ahhhhhhh!'"
The champion surfer was rushed to an emergency room where doctors saved his leg.
Murashige says while he was in the hospital, a member of the medical staff took a graphic photo of his injuries, and it ended up on the Internet.
"That picture of my wound was taken while it was gaping wide open," Murashige told 13 Investigates. "I had to stop my photo from being circulated while I was recuperating."
He filed a HIPAA complaint against the hospital. Four years later, Murashige has heard nothing about the complaint and there has been no penalty.
"It's a frustrating situation and I feel it's being swept under the rug," he said. "Health care workers gets so much training in HIPAA laws and then, when something does happen, it's like there's no law at all. I'm puzzled about it."
Millions put at risk
While some cases involve the privacy of an individual, others involve the privacy of thousands – or even millions – of patients.
13 Investigates found numerous examples of big insurance companies that failed to protect the health care privacy of their customers.
In 2009, a data breach at AvMed jeopardized the private information of more than 1.2 million customers after laptop computers were stolen from the health insurance company's corporate offices in Gainesville, Fla.
Insurance company Health Net put its customers at risk when a disk drive containing private information on 1.9 million patients was stolen last year in California.
Breaches of unsecured protected health information affecting at least 500 people must be reported to the U.S. Department of Health and Human Services, and Indiana is well represented on the government's list of "major breaches."
Indiana companies have reported 18 such breaches in the past three years. Only five other states have reported a higher number of major breaches during that time: California (57), Texas (41), New York (30), Florida (23) and Illinois (23).
The Indiana breaches involve major health care corporations such as Wellpoint, St. Vincent Hospital, IU Medical Group, Kindred Healthcare, Midtown Mental Health Center and Indiana Family and Social Services. Most of the breaches involve the theft, hacking or improper disposal of health care records, and they affect a combined total of nearly 100,000 Hoosiers.
None of the Indiana breaches has resulted in a fine or penalty from the federal government.
AvMed and Health Net have not been fined by OCR either.
Six years and counting
OCR is willing to say very little about pending cases, and there are thousands of them. The agency usually will not even confirm whether it is investigating a company accused of violating patients' health care privacy.
But the agency did confirm for WTHR that it has an open case against Walgreens and that its investigation into bags of protected patient information found in Walgreens dumpsters is still ongoing.
While the government's cases against CVS and Rite Aid were completed years ago (and those pharmacies paid millions in fines), OCR is still investigating the identical violation at Walgreens – found and reported at the same time as those at CVS and Rite Aid – nearly six years after it was brought to the agency's attention.
The question, of course, is why?
"These investigations, we never know how long they're going to take," explained Leon Rodriguez, director of the U.S. Health Department's Office for Civil Rights, the federal agency that's handling the Walgreens case. "I've been around long enough to know, for perfectly legitimate reasons, an investigation can take five years and even more. And there are times the reasons are not legitimate."
Asked to explain further, Rodriguez said "A case can be very complex. There can be a large volume of evidence. There's a lot of moving parts in an investigation, and while you're investigating, you may also be negotiating at the same time. And sometimes, it has nothing to do with that. It could just be inefficiency. That happens, too."
Rodriguez said he is not allowed to comment specifically on the government's Walgreens investigation.
Walgreens, the largest retail drugstore chain in the nation with nearly 8,000 pharmacies, says it has been cooperating with OCR and providing documentation to aid in its probe.
"Although we haven't yet received a closure letter from OCR related to this matter, we have not received any additional requests for information. That's all the info we have," said a Walgreens spokesman.
"Simply not satisfactory"
While WTHR is asking questions about the government's lenient enforcement of HIPAA, some lawmakers in Washington are doing the same.
Just a month after 13 Investigates questioned Rodriguez, senators called him to appear at a public hearing on Capitol Hill to explain why OCR has issued so few HIPAA penalties.
Rodriquez explained that OCR prefers to work with companies that violate patient privacy – helping to bring them into compliance for past violations and to prevent future breaches – rather than take a more heavy-handed approach of issuing fines.
Lawmakers still expressed concern about minimal consequences for companies that fail to follow a national health care privacy law that's been on the books for nearly a decade.
"When it comes to health care information, our right to privacy is not being fully protected," said Sen. Al Franken (D-Minn.), presiding over the Senate Judiciary Subcommittee on Privacy, Technology and the Law. "The overall record of enforcement is simply not satisfactory."
Antokol agrees. She says cases involving clear-cut HIPAA violations – such as the Walgreens case – should have been resolved years ago.
"Investigations can take a long time, but I think there is no reasonable explanation to justify more than five years for Walgreens when you have other pharmacies that were fined a long time ago for doing the same thing," she said. "This is a long period of time and it can easily send a message to consumers that maybe this isn't as important as it should be to the government."
Antokol said she had spoken to an OCR representative who assured her the Walgreens case would be resolved by the end of the year. That was last year – and the case is still open.
So will the case against Walgreens just go away with no penalties and no fines?
"It's always a possibility, but I think there could be significant backlash and it also sends a message of unfairness," Antokol said. "No matter what happens, they really need to react quickly and efficiently, and that's not been happening."
More fines coming?
Rodriguez told WTHR the days of lax HIPAA enforcement are over. He said companies that violate your privacy will be held responsible, and that more fines and harsher penalties will be coming.
"I think that's absolutely fair to expect," he said. "I think it is now reasonable to have much higher expectations."
OCR has followed through – sort of.
Since Rodriguez's interview with WTHR last fall, his agency has levied monetary penalties against four companies that violated HIPAA. The four fines – totaling $4.8 million – might not seem like much, but they are at least somewhat noteworthy when put into historical perspective.
Prior to that interview, OCR had issued only seven penalties in eight years totaling $9.5 million.
The past twelve months have reflected an increased number of punishments issued by the agency, even if the vast majority of violators still escape with no federal fine.
And the potential fines are now significant.
Congress originally capped HIPAA penalties at $100 per day. In 2009, lawmakers enacted the Health Information Technology and Clinical Health Act (HITECH), dramatically increasing the monetary penalties for HIPAA violations to a maximum of $50,000 per day.
The HITECH Act also allows states' attorneys general to levy fines and seek attorney fees from covered entities on behalf of victims.
Critics of the new fine structure say companies that break the law often pay a hefty price even if they are not issued a penalty by the federal government. Health care providers that breach patient information are now required to notify all patients affected. The resulting investigation and remediation can cost thousands – even millions – of dollars. BlueCross BlueShield of Tennessee, for example, reportedly incurred more than $17 million in direct expenses related to 57 unencrypted computer hard drives stolen from the company. Those hard drives containing protected health information of over 1 million individuals. The company was also fined $1.5 million by OCR.
Rodriguez said the fines offer an additional incentive to protect patient privacy.
"It's one of the tools we use to ensure compliance," he said. "We don't use the tool frequently, but we will when it's warranted."
For now, fining companies that jeopardize patient privacy is more of a threat than a reality, and it is unclear whether that threat is truly making an impact on patient privacy.
"The handful of enforcements under HIPAA, it's really insignificant," said Antokol. "To the public and to medical organizations across the U.S., it really doesn't seem there's a whole lot of privacy enforcement taking place. That's not a message you want to send."
NOTE: Over the past several months, WTHR has re-inspected dozens of drugstore dumpsters around central Indiana. Most of the dumpsters were locked. Those that were accessible did not contain any protected health care information. Following WTHR's investigation and lawsuits filed by the Indiana Attorney General's office, CVS, Walgreens and Rite Aid agreed to implement major changes to protect patient privacy. The changes included better safeguards for disposing of patient records. Based on recent inspections of the drugstores' dumpsters, it appears those changes are working.