The number of entities reporting breaches of unsecured PHI affecting 500 or more individuals has doubled since the agency that enforces the HIPAA privacy and security rules first posted them on its Web site two months ago.
The Office for Civil Rights (OCR) in February posted a list of 32 entities that since September 22, 2009, had reported the egregious breaches to OCR. On Friday, that number climbed to 64.
HITECH requires OCR to make public any breaches of 500 or more. OCR said on the site it will continue to update the page as it receives new reports of breaches of unsecured PHI.
The requirement is included in the interim final rule on breach notification, which became effective on September 23, 2009.
Those regulations require:
Frank Ruelas, director of compliance and risk management at Maryvale Hospital in Phoenix, AZ, and principal of HIPAA Boot Camp in Casa Grande, AZ, released a report to HealthLeaders Media that breaks down the types of breaches posted on the OCR Web site.
Of the 64 breaches of unsecured PHI, 11 involved business associates. Eight of the entities on the Web site are listed as "private practice." OCR says it cannot list the names of sole practitioners who do not give it consent, per the Privacy Act of 1974.