The Dayton Daily News is committed to coverage of the health care industry and stories that impact your health. For this story, I-Team reporter Katie Wedell submitted numerous records requests with the federal government to get information on privacy breaches not readily available to the public.
The I-Team compiled all HIPAA violations investigated by the Department of Health and Human Services through federal records requests. Search the full database of health care privacy complaints in Ohio online at mydaytondailynews.com.
More than 700 allegations of patient privacy law violations have been filed against Ohio health care facilities since 2010, with most of the ensuing investigations closed after minimal guidance from the federal agency tasked with oversight.
The largest health care privacy breach in Ohio occurred in Springfield last year when a contractor working for Community Mercy Health Partners inadvertently disposed of more than 113,000 medical records in a public recycling bin.
While investigating that incident, the I-Team requested information on smaller breaches that affected fewer than 500 people, which account for nearly 99 percent of violations of the law that provides safeguards for medical information.
A Freedom of Information Act request yielded a database of about 780 investigations in Ohio, but did not include details of alleged violations.
About 30 percent of those cases were closed after corrective action by the health care organization. Another 30 percent were closed with the government providing recommendations for improvement.
In the remaining cases, it was either determined that no violation occurred or the complaint was closed in some other manner, and fines are extremely rare.
Privacy and security experts, as well as patients impacted by local HIPAA breaches, have questioned whether enforcement goes far enough to deter repeated violations that potentially expose patient medical and personal information and could lead to identity theft.
“We trust them to take care of us and our medical records and to keep them private. Why have the HIPAA rules if they disregard them?” said Melanie LeVan, of Mechanicsburg.
She and her husband were notified that their information was among the records exposed in November by Community Mercy.
The health care industry lags behind others when it comes to cyber security, experts say. With the largest breaches in recent years coming as the result of hacking — including a massive attack on Anthem that affected about 78.8 million people, including 5 million consumers in Ohio — some think companies may be too focused on internal snafus while cyber threats persist.
Kettering Health Network and Premier Health Partners each have had more than a dozen complaints in their systems in the past five years, according to government data.
Kettering wasn’t able to provide details on individual cases — 12 resulting in corrective action or technical assistance — but said the majority were incidents in which internal monitoring systems alerted them to improper records access, which are self-reported to the Department of Health and Human Services Office of Civil Rights.
Entities are required to report only smaller breaches on an annual basis, but may report at any time.
“In general, what we have found, and this is fairly consistent when I talk with my colleagues (in the privacy field), a lot of these breaches are folks that are familiar with each other or they know each other and it’s a curiosity or a snooping matter,” said Megan Brickner, privacy officer for Kettering.
“We have zero tolerance for that … a snooping matter could rise to the level of termination.”
When KHN is alerted that records have been accessed in violation of privacy laws, the patient and OCR are notified and corrective action and discipline are initiated, Brickner said.
Premier spokeswoman Sharon Howard said the health network that oversees Miami Valley and Good Samaritan hospitals in Dayton educates its employees annually and as needed, along with having auditing and monitoring procedures in place.
“Any allegation of a breach that may have occurred is investigated,” Howard said.
Between 2010 and 2013, Wright-Patterson Medical Center reported four HIPAA violations to OCR.
“The HIPAA office conducts a full investigation into each potential violation, including interviews with suspected members, as well as audits of appropriate electronic health records,” said Daryl Mayer, spokesman for Wright-Patterson Air Force Base.
“The results of these investigations are forwarded to the Department of Health and Human Services by the Air Force Medical Operations Agency.”
If a staff member is found in violation of health information privacy rules, they go through remedial training or are subject to immediate administrative action, he said.
Independent researchers with the Ponemon Institute have surveyed health care organizations and their business partners about data privacy and security for six straight years.
In its most recent study, released in May, 89 percent of health care organizations reported at least one data breach in the past two years. Forty-five percent had experienced more than five breaches.
The study revealed a dichotomy where health care organizations say they are most concerned with negligent or careless employees — 69 percent of respondents said this worries them most — but also report that half of all breaches have criminal attacks as their root cause.
Health care organizations are disproportionately focused on the wrong threats, said Rick Kam, president and co-founder of ID Experts, the cyber protection company that sponsors the Ponemon survey.
“The frequency of data breaches from criminal attacks is about the same frequency as breaches from employee snafus,” he said. “The difference is criminal attacks are typically malicious, resulting in medical identity theft and medical fraud, versus the accidental disclosures by employees.”
Kam said the government hasn’t achieved much in preventing violations: “There is a lack of accountability.”
Organizations should be investing in security measures that detect cyber attacks, malware, and ransomware to reduce the frequency and impact of breaches, Kam said.
“Health care is the number one target right now,” said Kettering Health Network’s Chief Information Security Officer Michael Berry. “The data we have is the most valuable out there. Even more valuable than in the financial industry.
“If I stole your credit card you could change your credit card. If I steal your medical identity you can’t very well change that.”
Despite the threats, most organizations are woefully underprepared for cyber security threats, according to Justin Moore, CEO of cyber security firm Axcient.
Without stronger government enforcement, the main motivation for companies to spend money on protecting information is the damage a breach can do to a brand’s reputation, he said.
“You have this toothless thing called HIPAA,” Moore said, adding that if someone were randomly auditing, and fining, health care companies for violations, there would be a quick turnaround like what was seen in banking when tougher regulations were implemented.
The 2009 Health Information Technology for Economic and Clinical Health Act was intended to strengthen government oversight of health care providers and included a requirement that OCR create an audit program.
After conducting a pilot program in 2012 — auditing about 115 companies nationwide — the agency said its “Phase 2” audit program is underway. Desk audits are expected to begin in July.
OCR was called out by its Inspector General last year for not being proactive enough. It says its new random audit program is designed to proactively identify potential problems with patient data.
“OCR’s oversight is primarily reactive,” the report said.
It also noted that in about half of the closed privacy cases, OCR determined that covered entities were non-compliant with at least one privacy standard and it requested corrective action.
The I-Team found that noncompliance was identified in about 60 percent of the Ohio cases since 2010. Almost all of them resulted in corrective action being requested or technical assistance provided.
But those designations don’t necessarily mean the entity made any changes in response to OCR’s findings.
In one case opened in 2013 involving Community Mercy in Springfield, the hospital received a technical assistance letter but determined through an internal investigation that there was no privacy breach, according to Deborah Reif, corporate responsibility and privacy officer.
“When the OCR sends a technical assistance letter, it has closed the complaint and does not expect a response from the covered entity,” Reif said.
Hospitals still have an incentive to implement recommendations from those letters, Reif said, because OCR could come back and open an investigation.
But checking complaint history was another area in which OCR was criticized by the Inspector General.
The report found about 70 percent of OCR staff, “at least sometimes checked whether covered entities had been previously investigated, some rarely or never did so.”
Checking could be difficult because the agency does not have a standard way to enter covered entities’ names in its system, the report said. The data provided to the I-Team included several variations of names for a single entity.
Deven McGraw, OCR deputy director for health information privacy, said in a statement that an entity’s history, including prior breaches or complaints, is one factor OCR takes into consideration in determining whether to move forward with an investigation.
Prior breaches or investigations also are factors considered in pursuing more formal action, she said.
Fines — the federal government's most severe enforcement tool — have been assessed just 35 times.
Impact on patients
Since 2009, OCR has investigated nearly 1,600 large health data breaches and more than 134,000 smaller breaches and complaints. Those incidents have impacted more than 158 million patients, exposing information from addresses and medical diagnoses to Social Security numbers and insurance information detailed enough for someone to assume a fake medical identity.
Community Mercy Health Partners said it has received no complaints from patients regarding identity fraud or any other improper use of the information that was breached in November.
But patients still feel violated when their information is exposed.
“This incident has made my husband and I not want to trust hospitals with our information,” said LeVan.
After being notified by letter that their records were among those improperly disposed of in Springfield last year, the couple called the help line Community Mercy set up for patient questions.
They were initially told they couldn’t get copies of what was exposed. The hospital eventually sent a document on which one line of their information appeared.
“It made us worry less by knowing what of ours was in the dumpster,” LeVan said.
But she wishes more was done to hold hospitals accountable.
“Hospitals need to have repercussions to these things and not just a slap on the wrist or them saying ‘sorry,’ ” she said.
Individuals don’t have the ability to sue under HIPAA, but as consumers, patients have huge power, ID Experts’ Kam said.
“If consumers are upset they can take their business elsewhere,” he said.