Transparency? Government says no can do on medical record breaches

I have a letter on my desk from Robert Eckert, the HHS public affairs officer who handles Freedom of Information Act requests for the agency's Office for Civil Rights. I'm unhappy with Eckert's message.

Since June, I've pursued a request for an electronic copy of the data OCR has received on more than 30,500 security breaches involving patient-identifiable medical records. The American Recovery and Reinvestment Act of 2009 requires HIPAA "covered entities" that experience breaches to report the date, size and other details of these breaches to the OCR.

Under the stimulus law, breaches involving 500 or more records must to be reported promptly and posted on the OCR's website. Breaches of fewer than 500 records must be reported to the civil rights office once a year. And while the stimulus law does not require the office to post these lesser breaches, neither does the law authorize the OCR to hide that information, which is what it is trying to do.

Eckert says the OCR claims all of the records I've requested are "the subject of an open investigation" and so, since a FOIA provision "permits the withholding of open investigatory records . . . when disclosure could reasonably be expected to interfere with enforcement proceedings," he's denying my FOIA request in its entirety. And, if that legal argument doesn't cover their butts, "additional FOIA exemptions may be applied," he said.

In its own recent report to Congress, OCR revealed it had closed just 76 cases of the 252 larger breaches reported from September 2009 through Dec. 31, 2010. It's almost certain that details of all 252 cases were publicly posted—without detrimental effect to OCR's "open" investigations. Also, that report made no mention that OCR is investigating any, much less all 30,500, of the smaller breach reports.

What OCR seems to be saying by withholding this data is: "Let's protect the perps."

But releasing this information isn't about embarrassing breachers, although that would have a salutary effect. It's about putting publicly gathered data to full, public use and learning more about what went wrong at 30,500 providers, payers and other data handlers.

In its report to Congress (PDF) the OCR devoted five pages of analysis to larger breaches, but just four skimpy paragraphs to the smaller ones. If OCR doesn't want to slice and dice the data any more than that, someone else should. One intriguing item OCR did mention about the smaller breaches was that users reported "fixing 'glitches' in software that incorrectly compiled lists of patient names and contact information."

Shouldn't someone figure out how that happened and pass the word?

I can think of many more legitimate questions this database could pose and answer, but I'll not enumerate them. E-mail me at [email protected] with your suggestions and if I get enough, I'll blog with them later.

President Barack Obama once promised his would be the most transparent administration in history. Someone at OCR didn't get the memo.

Follow Joseph Conn on Twitter: @MHJConn.