OCR’s Publicly Disclosed Large Breaches Now Top 20 Million Impacted Individuals

May 16, 2012.  The Department of Health and Human Services’ (HHS) HIPAA/HITECH Act privacy and security enforcement arm, Office for Civil Rights (OCR), is responsible under the HITECH Act to publicly disclose privacy and security breaches that affect 500 or more individuals on its Breach Notification Web site.  With the now reported Utah Department of Health hacking/IT incident breach occurring in the period March 10-April 2, 2012 and affecting a reported 780,000 individuals, the total number in 435 breaches reported since September 22, 2009, now totals 20,079,189 impacted individuals.  Of the total number of breaches where location of breached information is known (e.g., electronic or hard copy source), 72% of the breaches involve electronic sources and 28% paper sources.  Of the total irrespective of source, just under 20% involve a business associate.  Of the electronic sourced breaches, just over 61% involved a laptop or other portable electronic device, and just under 92% of those are reported as stolen or lost. Many of these incidents could be avoided if the data were secured through encryption.

The Office of Management and Budget (OMB) has been sitting on the delayed Final Privacy, Security, Breach Notification, and Enforcement Rules since March 24, 2012.  A speedier exit from OMB’s EO 12866 review of these Final Rules before publication in the Federal Register might get greater attention of covered entities and business associates to securing protected health information (PHI) and diminishing the likelihood of these large breaches, the consequences of which are costly and time consuming to remedy, as has been shown in the recent Corrective Action Plan that is part of the April 17, 2012, Phoenix Cardiac Surgery Resolution Agreement with HHS. Hopefully, OMB soon will release the delayed Final Rules, and OCR will accompany publication of them with a comprehensive and continued educational effort that highlights the importance of conducting a risk analysis, developing policies and procedures to safeguard PHI, training workforce members on those safeguards, and demonstrating consequences of not achieving compliance.