Invite a Friend

Sitemap

Home

Technology
e-Newsletter

Intelligence Unit

Special Reports

Special Events

Subscribe

Sponsored

Departments

Follow Us

Home > Technology > Tech News & Analysis

Large Patient Information Breaches Skyrocket

Comment

RSS

News Widget

Dom Nicastro, for HealthLeaders Media, April 16, 2010

The number of entities reporting breaches of unsecured PHI affecting 500 or more individuals has doubled since the agency that enforces the HIPAA privacy and security rules first posted them on its Web site two months ago.

The Office for Civil Rights (OCR) in February posted a list of 32 entities that since September 22, 2009, had reported the egregious breaches to OCR. On Friday, that number climbed to 64.

HITECH requires OCR to make public any breaches of 500 or more. OCR said on the site it will continue to update the page as it receives new reports of breaches of unsecured PHI.

The requirement is included in the interim final rule on breach notification, which became effective on September 23, 2009.

Those regulations require:

Notice to patients alerting them to breaches "without unreasonable delay," but no later than 60 days after discovery of the breach

Notice to covered entities (CE) by business associates (BA) when BAs discover a breach

Notice to the secretary of HHS and prominent media outlets about breaches involving more than 500 patient records

Notice to next of kin about breaches involving patients who are deceased

Notices to include what happened, the details of the unsecured PHI that was breached, steps to help mitigate harm to the patient, and the CE's response

Annual notice to the secretary of HHS 60 days before the end of the calendar year about unsecure PHI breaches involving fewer than 500 patient records

Frank Ruelas, director of compliance and risk management at Maryvale Hospital in Phoenix, AZ, and principal of HIPAA Boot Camp in Casa Grande, AZ, released a report to HealthLeaders Media that breaks down the types of breaches posted on the OCR Web site.

Highlights include:

27% involve laptops

19% involve paper records

17% involve desktop computers

Of the 64 breaches of unsecured PHI, 11 involved business associates. Eight of the entities on the Web site are listed as "private practice." OCR says it cannot list the names of sole practitioners who do not give it consent, per the Privacy Act of 1974.

1 | 2

Email to a colleague

RSS

News Widget

Archive

Printer Friendly

Be the first to make a comment

Comments are moderated. Please be patient.

Health data losses: Don’t blame hackers

While patients and doctors often worry about medical records being hacked by cybercriminals and Internet snoops, the most common cause of health data breaches is physical theft of computing gear, according...

HITECH: 2 Years In, Verdict Still Out

There is hardly any tangible evidence that the HITECH Act has significantly changed the landscape of protecting patients' privacy. But the legislation has given organizations plenty of reasons to be...

Will the Feds Delay HITECH Business Associate Provisions?

The OCR may delay enforcement of the HITECH provisions regarding business associates because it has yet to publish its own regulations surrounding those provisions.

Book: The HIPAA and HITECH Toolkit

The HIPAA and HITECH Toolkit is a valuable resource that helps both CEs and BAs understand and meet the HITECH Act's expanded HIPAA Privacy and Security rules and ensure compliance. It...

go to complete list