The Office for Civil Rights (OCR) regularly updates its Web site listing of breaches affecting 500 or more individuals. As of July 2, 2010, there were 107 breaches listed that were reported to have occurred between September 22, 2009 and June 11, 2010. Individuals affected by these publicly listed breaches totaled 4,086,980. Six of the 107 breaches, or 5.6% of the total, affected 3,353,627 individuals, or 82% of the total. This is the second of three postings that analyzes the data from these 107 breaches. This posting (II) covers paper breaches. The first posting (I) covered electronic breaches, and the final posting (III) looks at the prevalence of business associate involvement.
Public listing of such breaches is required by the Health Information Technology for Economic and Clinical Health Act (HITECH Act) that was enacted as part of the American Recovery and Reinvestment Act of 2009. The breach list has been on the OCR Web site since February 23, 2010, the day after OCR began enforcement of breach notification for breaches that occurred on or after February 22. Excluding seven breaches that were not identified as to location, 25% involved breaches of protected health information (PHI) in hard copy (paper)form and 75% in various electronic forms.
Of the 25 identified hard copy (paper) breaches, the largest category was “other,” which means that OCR either needs to require more detailed information on “what happened” of covered entities reporting breaches or to provide greater specificity regarding the category: Type of Breach, if covered entities provide such information.
Of the hard copy (paper) breaches providing information in that category, six involved theft, five unauthorized access, four improper disposal, four loss, and one incorrect mailing. Included in those totals are three compound types reported by covered entities: one theft/loss, one theft/unauthorized access, and one improper disposal/loss.
The OCR Web site that lists breaches is at: hhs.gov.