The number of entities reporting breaches of unsecured protected health information (PHI) affecting 500 or more individuals has hit 225. The web site was born out of HITECH and has been live since February 2010.
OCR says the breach reports date back to September 2009. Hence, it's been about 17 months since OCR has accepted the reports. It amounts to about 13 reports filed per month, or 0.44 per day.
- 10 -- Number of reports affecting more than 100,000 individuals, or 4.4 percent of the total number of breaches.
- 4 – Number of reports affecting between 50,000 and 99,999 individuals
- 6 – Number of reports affecting between 25,000 and 49,999 individuals
- 27 – Number of reports affecting between 10,000 and 24,999 individuals
- 61 – Number of reports that involve a laptop, or 27.1 percent.
HITECH’s breach notification interim final rule is still in effect. OCR has been close to signing off on a final rule before it pulled it out of the hands of the Office of Management and Budget (OMB) for further review.
The interim final rule requires:
- Notice to patients alerting them to breaches “without unreasonable delay,” but no later than 60 days after discovery of the breach
- Notice to covered entities (CE) by business associates (BA) when BAs discover a breach
- Notice to the secretary of HHS and prominent media outlets about breaches involving more than 500 patient records
- Notice to next of kin about breaches involving patients who are deceased
- Notices to include what happened, the details of the unsecured PHI that was breached, steps to help mitigate harm to the patient, and the CE’s response
- Annual notice to the secretary of HHS 60 days after the end of the calendar year about unsecure PHI breaches involving fewer than 500 patient records
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.