Under the Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment Act of 2009, covered entities are required to report to the Secretary of the U.S. Department of Health and Human Services (HHS) any privacy or security breach affecting 500 or more individuals within 60 days of discovery of the breach by the covered entity or its business associate. The HHS Office for Civil Rights (OCR), which is responsible for privacy and security enforcement under the Health Insurance Portability and Accountability Act (HIPAA) and HITECH Act provisions that strengthened privacy and security enforcement, is required to post those breaches on its Web site.
As of April 4, 2011, OCR reported a total of 256 breaches have impacted 10,202,051 persons in breaches reported by covered entities from September 22, 2009—the day prior to the effective date of the Breach Notification Rule—to February 8, 2011. One of seven newly posted breaches on the Web site put the number of affected individuals over 10 million: California-based Health Net, Inc. reported a breach affecting 1.9 million individuals on January 21, 2011 from an “unknown” type of breach and “other ” location of breached information. Health Net issued a news release pertaining to this reported incident on March 14, 2011, which is available online. In that news release, Health Net indicated that a business associate, IBM, had notified Health Net that “it could not locate several server drives.” Health Net is continuing to investigate the whereabouts of those drives and is offering affected parties several risk mitigation monitoring and insurance remedies to potential misuse of personal health information (PHI) identifiers and resultant consequences.
The growing number of individuals affected by privacy and security breaches heightens the need by OCR to strengthen enforcement, and for covered entities and business associates to increase attention paid to compliance with HIPAA/HITECH Act privacy and security rules, especially training of workforce members to safeguard electronic, hardware, devices, and media containing PHI.