The Office for Civil Rights' (OCR) list of entities reporting major patient information breaches began at 32 about four months ago.
It is now near 100.
The number of entities reporting breaches of unsecured PHI affecting 500 or more individuals has nearly tripled since the agency that enforces the HIPAA privacy and security rules first posted them on its website in February.
OCR posted a list of 32 entities that, since September 22, 2009, had reported the egregious breaches to OCR. On Friday, that number climbed to 93.
"I'm interested to see how long before we see over 100 entities listed," says Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal of HIPAA Boot Camp in Casa Grande, AZ. "The way things are looking, I expect the list to hit 100 by the end of June."
Ruelas says he's received many questions over the last couple of weeks about who bears the cost of notifications.
"My response is that before investing time (and money) in going down this very busy and curvy road, look at options to encrypt," he says. "It seems more and more that this is the best and probably easiest way to avoid breach notification-induced chest pain."
HITECH requires OCR to make public any breaches of 500 or more. OCR said on the site it will continue to update the page as it receives new reports of breaches of unsecured PHI.
The requirement is included in the interim final rule on breach notification, which became effective on September 23, 2009.
Those regulations require:
- Notice to patients alerting them to breaches "without unreasonable delay," but no later than 60 days after discovery of the breach
- Notice to covered entities (CE) by business associates (BA) when BAs discover a breach
- Notice to the secretary of HHS and prominent media outlets about breaches involving more than 500 patient records
- Notice to next of kin about breaches involving patients who are deceased
- Notices to include what happened, the details of the unsecured PHI that was breached, steps to help mitigate harm to the patient, and the CE's response
- Annual notice to the secretary of HHS 60 days before the end of the calendar year about unsecure PHI breaches involving fewer than 500 patient records
Of the 93 breaches of unsecured PHI, 17 involve business associates (BAs), or nearly one out of every five.
Ten of the entities on the website are listed as "private practice." OCR has told HealthLeaders Media it will begin posting the names of entities they consider "individuals" regardless of whether or not those entities give consent.
Currently, OCR does not post the names of such entities (namely sole practitioners) if they do not give OCR consent; OCR treats them as protected "individuals" per the Privacy Act of 1974. Instead, OCR lists them as "private practice."
However, those entities will be unmasked because listing them falls under the "routine use" provision of the privacy act, which allows OCR to post their names without getting consent.
The breach affecting the most individuals is now AvMed, Inc. of Florida, whose Dec. 10, 2009, breach involving a laptop affected 1.22 million individuals.
Filling out the top five breaches with the largest number of affected individuals are:
AvMed, Inc.
State: Florida
Approximate number of individuals affected: 1,220,000
Date of breach: Dec. 10, 2009
Type of breach: Theft
Location of beached information: Laptop
Blue Cross Blue Shield of Tennessee
State: Tennessee
Approximate number of individuals affected: 998,442
Date of breach: Oct. 2, 2009
Type of breach: Theft
Location of breached information: Hard drives
Affinity Health Plan, Inc.
State: New York
Approximate number of individuals affected: 344,579
Date of breach: Nov. 24, 2009
Type of breach: Other
Location of breached information: Other
Emergency Healthcare Physicians, Ltd.
State: Illinois
Business associate involved: Millennium Medical Management Resources, Inc.
Approximate number of individuals affected: 180,111
Date of breach: Feb. 27, 2010
Type of breach: Theft
Location of breached information: Portable electronic device, other
Providence Hospital
State: Michigan
Approximate number of individuals affected: 83,945
Date of breach: Feb. 4, 2010
Type of breach: Other
Location of breached information: Hard drive
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.