OCR posted on its Web site a list of covered entities this week that have reported breaches of unsecured PHI affecting more than 500 individuals, fulfilling its obligation under HITECH.
The HHS organization, which oversees enforcement and compliance of the HIPAA privacy and security rules, reports that since September 22, 2009, 32 covered entities have reported breaches that affected at least 500 individuals.
In the cases where a business associate (BA) is involved, OCR lists those organizations as well. OCR reports that among the 32 breaches of 500 or more, seven included BAs. OCR cited one of the BAs by name -- Rick Lawson of Professional Computer Services. That reported breach, in Wilmington, NC, involved 2,000 individuals and was the result of a hacker, according to OCR.
The most egregious breach case came from Blue Cross Blue Shield of Tennessee, which affected 500,000 as a result of stolen hard drives, OCR reported on its Web site.
Following Blue Cross Blue Shield is AvMed, Inc., a Gainesville, FL, health plan. That reported breach occurred on December 10, 2009 and affected 359,000 individuals, according to the post on the OCR site. It resulted from a stolen laptop.
HITECH requires OCR to make public any breaches of 500 or more. OCR says on the site it will continue to update the page as it receives new reports of breaches of unsecured PHI.
The requirement is included in the interim final rule on breach notification, which became effective on September 23, 2009.
Those regulations require:
- Notice to patients alerting them to breaches "without unreasonable delay," but no later than 60 days after discovery of the breach
- Notice to covered entities (CEs) by BAs when BAs discover a breach
- Notice to the secretary of HHS and prominent media outlets about breaches involving more than 500 patient records
- Notice to next of kin about breaches involving patients who are deceased
- Notices to include what happened, the details of the unsecured PHI that was breached, steps to help mitigate harm to the patient, and the CE's response
- Annual notice to the secretary of HHS 60 days before the end of the calendar year about unsecure PHI breaches involving fewer than 500 patient records
Other notable breaches posted this week include:
Blue Cross Blue Shield Association
State: District of Columbia
Business associate involved: Merkle Direct Marketing
Approximate number of individuals affected: 15,000
Date of breach: October 7, 2009
Type of breach: unauthorized access
Location of breached information: mailings
Detroit Department of Health and Wellness Promotion
State: Michigan
Approximate number of individuals affected: 10,000
Date of breach: October 22, 2009
Type of Breach: theft
Universal American, Inc.
State: New York
Business associate involved: Democracy Data & Communications, LLC
Approximate number of individuals affected: 83,000
Date of breach: November 12, 2009
Type of breach: incorrect mailing
Location of breached information: postcards
Kaiser Permanente Medical Care Program
State: California
Approximate number of individuals affected: 15,500
Date of breach: November 1, 2009
Type of breach: theft
Location of breached information: portable electronic device
Goodwill Industries of Greater Grand Rapids, Inc.
State: Michigan
Approximate number of individuals affected: 10,000
Date of breach: December 15, 2009
Type of breach: theft
Location of breached information: backup tapes
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.