The Security Scrutinizer with Howard Anderson

Breach List to Name Solo Practices

Breach List to Name Solo Practices

The Office for Civil Rights within the Department of Health and Human Services will begin naming the names of solo practitioners who have major breaches, rather than listing them only as "private practice." And that's only fair, because all other organizations of all sizes are named on the list.

When I originally asked why these practices weren't named on the list, which was mandated by the HITECH Act, OCR officials told me, as noted in an earlier blog, "Under current Privacy Act of 1974 provisions, the Office for Civil Rights may not disclose the names or other identifying information about private practitioners without their written consent."

In addition to naming names for all future major breaches at solo practices, OCR will name names retroactively as well. 

Well, OCR took a closer look, and it determined that by expanding the definition of "routine use" of information that it gathers with its "system of records," which is now being modified, it could justify naming names, officials confirm.

So the names of private practices should begin appearing on the list of breaches that affect more than 500 individuals by late May, officials say.

OCR issued a notice in the Federal Register April 13 about modifying its system of records, including a computer system called the Program Information Management System. Once the comment period on that notice ends May 23, the change in policy on naming solo practitioners can kick in.

In addition to naming names for all future major breaches at solo practices, OCR will name names retroactively as well, a spokesman said.

And that's progress.

But OCR still has a lot of work to do to make the list far easier to use. For example, visitors shouldn't have to make five clicks to find the list buried deep within its Web site.

Also, it's impossible to tell what breaches have been added to the site from week to week unless you've been saving printouts. That's because they're listed based on the date of the incident, not the date when the information was added. OCR could simply add the date when each breach was posted to make it easier for folks to identify new cases.

OCR also could provide a state-by-state guide, with an alphabetical list of organizations that have reported breaches. That way, if you moved to another state, you could easily find the list of local organizations with breaches reported.

But identifying "private practices" by name is, indeed, a good start down the path toward improving the list.

About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.