To create the database, called HIPAA Helper, ProPublica analyzed data from:
The database contains:
According to ProPublica, the database allows consumers to more easily search for HIPAA violations by standardizing health care organizations' names. OCR's data often included several different names for one organization, according to the analysis.
Meanwhile, ProPublica used the same data pool to examine the number of repeat HIPAA offenders.
ProPublica considered a complaint a HIPAA violation if it resulted in:
The investigation found that hundreds of health care organizations and providers across the country repeatedly violated HIPAA between 2011 and 2014.
Between 2011 and 2014, the investigation found the top repeat offenders were:
However, the investigation found that OCR took no punitive action against those providers.
According to ProPublica, OCR has significant flexibility in how it handles complaints, with the majority of issues resolved privately and informally. The agency also can impose fines of up to $50,000 per violation, with an annual cap of $1.5 million.
Deven McGraw, deputy director for health information privacy at OCR, said while the agency typically focuses on incidents that affect at least 500 people, more could be done to address providers with repeat violations.
She said, "I don't like the idea of repeat offenders not being called to task for that behavior, and I would like to see us doing more in this regard." McGraw noted that OCR's case management system is being fixed to flag repeat offenders.
Further, Joy Pritts -- a health information privacy and security consultant and former chief privacy officer at the Office of the National Coordinator for Health IT -- said, "The patterns [ProPublica] identified makes a person wonder how far a company has to go before HHS recognizes a pattern of noncompliance."
Meanwhile, Nicolas Terry -- a professor and executive director of the Hall Center for Law and Health at Indiana University's law school -- said OCR has stepped up its disciplinary actions, in part by issuing more fines against providers with larger breaches. However, he said more could be done (Ornstein/Waldman , ProPublica, 12/29/15).