December 2, 2010.M
Under the Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment Act of 2009, covered entities are required to report to the Secretary of the Department of Health and Human Services (HHS) any breach affecting 500 or more individuals within 60 days of discovery of the breach by the covered entity or its business associate. The HHS Office for Civil Rights (OCR), which is responsible for HIPAA privacy and security enforcement, is required to post these HIPAA privacy or security breaches on its Web site (please note that this URL is a change from the initial site locator, and presents the breach information in a different format than that on the initial site.)
As of today’s posting by OCR on its Website, there were 200 breaches involving 5,887,170 individuals that had been reported by covered entities. The dates of these breaches ranged from September 22, 2009 to October 17, 2010. Thirty-nine of the reported breaches, or 20%, involved business associates. Excluding 10 reported breaches without sufficient detail, 141, or approximately 3 out of 4 reported breaches, involved electronic protected health information (PHI) and 51, or approximately 1 out of 4 reported breaches, involved hard copy formatted PHI. Several reported breaches involved breaches of both electronic and hard copy formatted PHI.
With regard to type of breach, there were 23 of the 200 reported breaches without sufficient detail. Of the remaining 177 reported breaches, 112, or just over 63%, involved theft and 31, or over 17%, involved loss. Together, theft and loss, or 143 reported breaches, accounted for over 80% of reported breaches involving 500 or more individuals. Several of these reported breaches also indicated a combination of causes. Here we focus on breaches of electronic PHI.
Of the 141 reported breaches involving electronic PHI, 86, or 61%, involved laptops and portable electronic devices (PEDs), not otherwise identified. All but 3 of these reported breaches of laptops and portable electronic devices involved theft or loss.
These breaches should not be occurring. On August 24, 2010, HHS issued its Interim Final Rule on Breach Notification, which included Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals. This guidance outlines valid encryption processes for securing PHI. It is either through indifference to or neglect of implementing these encryption safeguards on portable and mobile electronic devices that unnecessary costs of breach notification are being incurred by covered entities and business associates that breach unsecured PHI. That does not include the costs borne by individuals impacted by breach, or costs related to loss of business and reputation by the breaching party. In addition to covered entities and business associates taking greater responsibility to safeguard PHI, OCR also must take a greater role in enforcement, namely, put more emphasis on privacy and security compliance and training of workforce members, and increase HITECH Act authorized compliance audits and imposition of substantially increased HITECH Act financial penalties for noncompliance with HIPAA Privacy and Security Rule provisions, especially for willful neglect.
Finally, as a reminder, the OCR Website only includes breaches affecting 500 or more individuals. Breaches of fewer than 500 affected individuals must be reported to OCR annually, so the number of totally affected individuals may be substantially higher than that already reported.