On Monday, February 22, 2010, the federal government, through the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS), began enforcing the Breach Notification Rule for breaches occurring on or after that date. The Breach Notification for Unsecured Protected Health Information; Interim Final Rule, was published in the Federal Register on Monday, August 24, 2009 [74 FR 42739-42770] and was effective September 23, 2009. Since September 22, 2009, 36 breaches of privacy or security of protected health information (PHI) affecting 500 or more individuals have been reported to OCR. The total number of individuals affected was 1,073,657, with two of the breaches involving 359,000 (FL) and 500,000 (TN), as reported. Seven of the 36 reported breaches involved business associates of covered entities, totaling 118,062, or about 11% of affected individuals. Twenty-nine of the 36 breaches involved theft (22), unauthorized access (2), or a combination of theft and unauthorized access (5). Twenty-nine also involved electronic devices or electronic media. For more information, see the OCR Press Release here.
Your guide to HIPAA Compliance