Nearly 8.3 Million Individuals Impacted by 249 Privacy and Security Breaches Reported by HHS; More Training on Safeguarding PHI Required

Under the Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment Act of 2009, covered entities are required to report to the Secretary of the U.S. Department of Health and Human Services (HHS) any privacy or security breach affecting 500 or more individuals within 60 days of discovery of the breach by the covered entity or its business associate.  The HHS Office for Civil Rights (OCR), which is responsible for privacy and security enforcement under the Health Insurance Portability and Accountability Act (HIPAA) and HITECH Act provisions that strengthened privacy and security enforcement, is required to post those breaches on its Web site.

As of March 17, 2011, OCR had posted on its Web site 249 breaches that had impacted 8,289,236 individuals reported by covered entities. [1] The dates of these breaches ranged from September 22, 2009—the day prior to the effective date of the Breach Notification Rule—to January 12, 2011. Forty-eight cases reported by covered entities—19.3%–were breaches that involved a business associate.  Excluding 12 breaches without identifying information, approximately 75% (177) of the total involved electronic protected health information (PHI) and 25% (58) hard copy formatted PHI.  Several reported breaches involved electronic and hard copy formatted PHI.

With regard to type of breach, there were 24 of 249 reported breaches without sufficient detail.  Of the remainder, 139 breaches, or just about 62%, involved theft, and 37 breaches, or just over 16%, involved loss.  Together, theft and loss accounted for 168 reported breaches, or just over 78% of the total number of breaches that impacted 500 or more individuals per incident.  The remaining types of the most prevalent breaches included unauthorized access (38), hacking (22), and improper disposal (14).  Twenty-five of reported breaches involved a combination of types.

With regard to the 177 privacy and security breaches involving electronic PHI, 104, or approximately 59%, involved laptops and portable electronic devices (PEDs)—not otherwise identified.  All but 4 of these reported breaches of laptops and PEDs involved theft or loss. These breaches should not be occurring!

On August 24, 2009, HHS issued its Interim Final Rule on Breach Notification, which included Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals.  This Guidance identifies readily available safeguards—encryption processes and disposal methods—for securing PHI.  It is either through indifference to or neglect of implementing encryption safeguards on portable and mobile electronic devices that unnecessary costs of breach notification are being incurred by covered entities and their business associates that breach unsecured electronic PHI.  Those costs do not include costs borne by individuals impacted by breach, and costs related to loss of business and reputation and to required mitigation by the breaching party.

Covered entities and business associates must take greater responsibility to safeguard PHI, starting with more emphasis on training their workforce members who work with PHI.[2] The HITECH Act increased financial penalties for noncompliance from $100 for a single violation to $50,000, and the maximum for a repeat of a single violation in a calendar year from $25,000 to $1.5 million.  In addition, the HITECH Act provided for compliance audits[3] in addition to complaint investigations.  As a result, the likelihood of discovery of noncompliance and the financial consequences of such discovery—especially of willful neglect-not corrected—are raised considerably now under the Breach Notification Interim Final Rule for covered entities and business associates, and will be enhanced even further with simultaneous release of final HITECH Act privacy, security, and breach notification rules in 2011[4] that extend privacy and security obligations to business associates of covered entities and to sub-contractors of business associates.

Indicative of the forthcoming tightening of HIPAA and HITECH Act privacy and security enforcement is the commentary of OCR Director Georgina Verdugo in the News Release pertaining to the Resolution Agreement whereby Massachusetts General Hospital agreed to pay $1 million to settle Potential HIPAA Privacy Rule violations.[5] Note the following commentary:

“’We hope the health care industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement.  It is a covered entity’s responsibility to protect its patients’ health information.’ …  “’To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA Privacy and Security Rules.’ … ‘A robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents.’” [emphasis added]

Ed Jones [20110318]

[1] As of the end of 2010, OCR had received more than 14,000 reports of smaller breach incidents (fewer than 500 impacted individuals).  See “Federal Audits Still in Development,” Healthcare Info Security, February 22, 2011, which is available online here.

[2] For example, “one-third of recently surveyed physician practices and 14 percent of surveyed hospitals do not conduct a regular security risk analysis of their electronic health information.”  See “Survey Details the Security Landscape,” HDM Breaking News, November 5, 2010.  The risk analysis is the foundation of preparing safeguard policies and procedures and initiating a meaningful training program for workforce members on “awareness and understanding” of and abiding by those policies and procedures.

[3] “OCR, which hired the consulting firm Booz Allen Hamilton to help design the auditing program, ‘is still working through what will give us the most bang for the buck,’  Greene said.  For example, it’s still weighing whether to audit a random sample of healthcare organizations or ‘going wider,’ he said.”  Statement of Adam Greene, senior health IT and privacy advisor in OCR, on February 21, 2011. See “Federal Audits Still in Development,” Healthcare Info Security, February 22, 2011, which is available online here.

[4] Statement of Adam Greene, senior health IT and privacy advisor in OCR, on February 21, 2011.  See Greg Gillespie, “OCR Plans to Tighten Up HITECH Privacy, Security, Breach Regs,” HDM Breaking News, February 21, 2011, which is available online here.

[5] See  HHS, “Massachusetts General Hospital Settles Potential HIPAA Violations,” news release, February 24, 2011, which is available online here.

Leave a Reply

Your email address will not be published. Required fields are marked *