Under the Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment Act of 2009, covered entities are required to report to the Secretary of the U.S. Department of Health and Human Services (HHS) any privacy or security breach affecting 500 or more individuals within 60 days of discovery of the breach by the covered entity or its business associate. The HHS Office for Civil Rights (OCR), which is responsible for privacy and security enforcement under the Health Insurance Portability and Accountability Act (HIPAA) and HITECH Act provisions that strengthened privacy and security enforcement, is required to post those breaches on its Web site.
On November 4, 2011, OCR reported a total of 364 such breaches, up from 345 in its previous post in October. The 364 breaches have impacted 18,190,451 persons in breaches reported by covered entities from September 22, 2009—the day prior to the effective date of the Breach Notification Rule—to September 14, 2011. The increase of 6,230,963 impacted individuals represents a skyrocketing jump of just over 52% from the 11,959,488 accounted for in the October post of 345 breaches. Two breaches accounted for most of that increase: TRICARE Management Activity (Virginia) loss of backup tapes on September 13, 2011, impacting 5,117,799 individuals; and The Nemours Foundation (Florida) loss of backup tapes on August 10, 2011, impacting 1,055,489 individuals. The TRICARE breach also involved a business associate. Overall, just under 20% of the reported breaches involve a business associate.
As HIPAA.com has reported before from an analysis of the breach data on the OCR Web site, 3 of 4 breaches involve electronic devices and media and 1 in 4 involve hard copy media, such as paper records and x-ray films. Of the electronic breaches, approximately 3 of 5 involve mobile or portable devices or media, but they represent over 92% of reported theft or loss in electronic breaches.
The growing number of individuals affected by privacy and security breaches heightens the need by OCR to issue the Final Privacy, Security, Breach Notification, and Enforcement Rules and strengthen enforcement and accountability through compliance audits and complaint and breach investigations to ensure compliance with those Rules. Covered entities and business associates must pay more attention to conducting risk assessments and mitigating risks through privacy and security safeguard policies and procedures, and especially training their workforce members to safeguard electronic, hardware, devices, and media containing protected health information (PHI).
From HIPAA.com’s previous postings on breaches, you know that remediating breaches is costly, not only financially, but also in time, potential damage to reputation and customer goodwill, and lost business. The Ponemon Institute, a privacy and information management research firm, in March 2011, announced results of the sixth annual U.S. Cost of a Data Breach Study. According to this study, based on survey data, breach incidents cost U.S. companies $214 per compromised customer record (2010 data). Looking just a OCR’s publicly disclosed 365 breaches, affecting nearly 18.2 million individuals, potentially the cost is just under $3.9 billion for remediation. The August 3, 2011, HDM Breaking News article mentions that “[t]he cost to reduce the risk to protected health information before a breach can be as low as 10 percent of the cost to remediate a medium-sized breach.” As the old automotive oil filter TV ad stated, “you can pay me now or pay me later.” Investment now in HIPAA/HITECH Act privacy and security safeguards to minimize risk to PHI is a cost-effective and wise investment, especially in ENCRYPTING YOUR PHI on mobile and portable electronic devices and media with a high likelihood of being lost or stolen.