[ Thursday, April 15, 2010 ]
Why no names?
I recently posted
that some folks are unhappy that, when HHS lists the covered entities with data breaches involving over 500 people, they don't always list the name of the entity. In some cases, they just say it's a "private practice" without saying which private practice. Dom Nicastro has ferreted out
an answer why HHS does that -- they're applying the Privacy Act of 1974 (what? there was privacy before HIPAA?), which says they can only release the name if the covered entity gives its approval.
UPDATE (or, Nicastro gets results
): the ferreting out has resulted in a change of heart on HHS' part -- they will now list the names. According to HHS, the Privacy Act allows them to list the entity's name without consent only for a purpose that is "compatible with the purpose(s) for which the information was collected." Is disclosing the names compatable with the purpose for which the information was collected? I guess it depends on why you think HHS is collecting information on >500 person disclosures. Is it to shame the disclosers? To warn the general public about possible disclosures, to the extent the general public dealt with those entities? Is it to give an anonymized snapshot of just how much data leakage there is? If it's the first 2, then HHS could, under the Privacy Act, name names. If the purpose of the data breach list is just to give a blind idea of how bad privacy protection is all over, then they can't name names.
Whichever the answer is (who knows? I guess only Congress knows), HHS has defaulted from naming names being contrary to the purpose(s) of the list, to being part of the purpose(s) of the list.
In other words, HHS will now name names.
Jeff [2:49 AM]
Blogger: HIPAA Blog - Edit your Template