• Home
  • Blog
  • Contact
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceHIPAA Compliance
  • Home
  • Blog
  • Contact

200 Breaches Impacting Almost 5.9 Million Individuals, with Theft and Loss of Laptops and PEDs Major Cause

December 6, 2010 American Recovery and Reinvestment Act, Enforcement, Health IT and HITECH, Privacy, Security No Comments

December 2, 2010.M

Under the Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment Act of 2009, covered entities are required to report to the Secretary of the Department of Health and Human Services (HHS) any breach affecting 500 or more individuals within 60 days of discovery of the breach by the covered entity or its business associate.  The HHS Office for Civil Rights (OCR), which is responsible for HIPAA privacy and security enforcement,  is required to post these HIPAA privacy or security breaches on its Web site (please note that this URL is a change from the initial site locator, and presents the breach information in a different format than that on the initial site.)

As of today’s posting by OCR on its Website, there were 200 breaches involving 5,887,170 individuals that had been reported by covered entities. The dates of these breaches ranged from September 22, 2009 to October 17, 2010.  Thirty-nine of the reported breaches, or 20%, involved business associates. Excluding 10 reported breaches without sufficient detail, 141, or approximately 3 out of 4 reported breaches, involved electronic protected health information (PHI) and 51, or approximately 1 out of 4 reported breaches, involved hard copy formatted PHI.  Several reported breaches involved breaches of both electronic and hard copy formatted PHI.

With regard to type of breach, there were 23 of the 200 reported breaches without sufficient detail.  Of the remaining 177 reported breaches, 112, or just over 63%, involved theft and 31, or over 17%, involved loss. Together, theft and loss, or 143 reported breaches, accounted for over 80% of reported breaches involving 500 or more individuals.  Several of these reported breaches also  indicated a combination of causes.  Here we focus on breaches of electronic PHI.

Of the 141 reported breaches involving electronic PHI, 86, or 61%, involved laptops and portable electronic devices (PEDs), not otherwise identified.  All but 3 of these reported breaches of laptops and portable electronic devices involved theft or loss.

These breaches should not be occurring.  On August 24, 2010, HHS issued its Interim Final Rule on Breach Notification, which included Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals.  This guidance outlines valid encryption processes for securing PHI.  It is either through indifference to or neglect of implementing these encryption safeguards on portable and mobile electronic devices that unnecessary costs of breach notification are being incurred by covered entities and business associates that breach unsecured PHI.  That does not include the costs borne by individuals impacted by breach, or costs related to loss of business and reputation by the breaching party.  In addition to covered entities and business associates taking greater responsibility to safeguard PHI, OCR also must take a greater role in enforcement, namely, put more emphasis on privacy and security compliance and training of workforce members, and increase HITECH Act authorized compliance audits and imposition of substantially increased HITECH Act financial penalties for noncompliance with HIPAA Privacy and Security Rule provisions, especially for willful neglect.

Finally, as a reminder, the OCR Website only includes breaches affecting 500 or more individuals. Breaches of fewer than 500 affected individuals must be reported to OCR annually, so the number of totally affected individuals may be substantially higher than that already reported. [20101202]

Tags: breachBreach Notificationbusiness associatecompliancecovered entityencryptionEnforcementfinancial penaltiesguidanceHHSHIPAA PRIVACY RULEHIPAA Security RuleHITECH ActlaptoplossnoncomplianceOCROffice for Civil RightsPEDPHIportable electronic deviceprotected health informationreputationtheftTrainingwillful neglectworkforce members
No Comments
Share
0

You also might be interested in

Identity Theft Red Flags and Address Discrepancies

Apr 27, 2009

DEPARTMENT OF THE TREASURY 12 CFR Part 41, 222, 334,[...]

FTC Delays “Red Flags” Rule for Third Time

Jul 29, 2009

The Federal Trade Commission announced a third delay, from August[...]

HIPAA Final Rule: Genetic Information Nondiscrimination Act: Underwriting Prohibitions

Feb 18, 2013

February 18, 2013.  Today, we examine underwriting prohibitions as they[...]

Leave a Reply Cancel Reply

Categories

  • 5010
  • American Recovery and Reinvestment Act
  • Enforcement
  • GINA
  • Health Care Reform
  • Health IT and HITECH
  • HIPAA Law
  • Identifiers
  • Meaningful Use
  • Privacy
  • Red Flags Rules
  • Security
  • Transactions & Code Sets
  • Uncategorized

Recent Posts

  • Contracting with Vendors that are NOT HIPAA Business Associates: Best Practices
  • HIPAA Breach: Who You Gonna Call?
  • Can I Be Sued for a HIPAA Violation?
  • Business Associate Agreements – a First Look at Indemnification
  • Gmail, Google Apps for Business HIPAA Business Associate Agreements

Archives

Contact Us

We're currently offline. Send us an email and we'll get back to you, asap.

Send Message
HIPAA- Health Insurance Portability Accountability Act

© 2023 · hipaa.com

Prev Next