Nearly 8.3 Million Individuals Impacted by 249 Privacy and Security Breaches Reported by HHS; More Training on Safeguarding PHI Required

Under the Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment Act of 2009, covered entities are required to report to the Secretary of the U.S. Department of Health and Human Services (HHS) any privacy or security breach affecting 500 or more individuals within 60 days of discovery of the breach by the covered entity or its business associate.  The HHS Office for Civil Rights (OCR), which is responsible for privacy and security enforcement under the Health Insurance Portability and Accountability Act (HIPAA) and HITECH Act provisions that strengthened privacy and security enforcement, is required to post those breaches…

READ MORE

200 Breaches Impacting Almost 5.9 Million Individuals, with Theft and Loss of Laptops and PEDs Major Cause

December 2, 2010.M Under the Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment Act of 2009, covered entities are required to report to the Secretary of the Department of Health and Human Services (HHS) any breach affecting 500 or more individuals within 60 days of discovery of the breach by the covered entity or its business associate.  The HHS Office for Civil Rights (OCR), which is responsible for HIPAA privacy and security enforcement,  is required to post these HIPAA privacy or security breaches on its Web site (please note that this URL is a change from the initial…

READ MORE

OCR Reports 107 Breaches Affecting Over 4 Million Individuals (II)

The Office for Civil Rights (OCR) regularly updates its Web site listing of breaches affecting 500 or more individuals. As of July 2, 2010, there were 107 breaches listed that were reported to have occurred between September 22, 2009 and June 11, 2010. Individuals affected by these publicly listed breaches totaled 4,086,980. Six of the 107 breaches, or 5.6% of the total, affected 3,353,627 individuals, or 82% of the total. This is the second of three postings that analyzes the data from these 107 breaches. This posting (II) covers paper breaches. The first posting (I) covered electronic breaches, and the final posting (III) looks at the prevalence of business associate…

READ MORE

OCR Reports 107 Breaches Affecting Over 4 Million Individuals (I)

As of the July 4th holiday weekend, the Office for Civil Rights (OCR) has updated again its Web site listing of breaches affecting 500 or more individuals.  As of July 2, 2010, there were 107 breaches listed that were reported to have occurred between September 22, 2009 and June 11, 2010. Individuals affected by these publicly listed breaches totaled 4,086,980.  Six of the 107 breaches, or 5.6% of the total, affected 3,353,627 individuals, or 82% of the total.  This is the first of three postings that analyzes the data from these 107 breaches.  This posting (I) covers electronic breaches, the next posting (II) covers hard copy (paper) breaches, and the…

READ MORE

OCR Stepping Up HIPAA Security Enforcement

Health Data Management (HDM) reported today, May 12, that the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) is going to strengthen HIPAA Security Rule enforcement, based on statements made on Tuesday, May 11 by the OCR Deputy Director for Privacy, Susan McAndrew, at the Safeguarding Health Information conference in Washington, DC, co-sponsored by OCR and the National Institute of Standards and Technology (NIST).  “To boost enforcement of the security rule, OCR has added investigators in 10 regional offices, McAndrew notes,” as reported by Joe Goedert in the HDM article, “OCR Boosting Security Enforcement,” which is available online. This report comes several days after…

READ MORE

OCR Identifies 36 Entities with Breaches Affecting 500 or More Individuals

On Monday, February 22, 2010, the federal government, through the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS), began enforcing the Breach Notification Rule for breaches occurring on or after that date.  The Breach Notification for Unsecured Protected Health Information; Interim Final Rule, was published in the Federal Register on Monday, August 24, 2009 [74 FR 42739-42770] and was effective September 23, 2009.  Since September 22, 2009, 36 breaches of privacy or security of protected health information (PHI) affecting 500 or more individuals have been reported to OCR.  The total number of individuals affected was 1,073,657, with two of the breaches involving 359,000 (FL)…

READ MORE

Facility Access Controls: Facility Security Plan-What to Do and How to Do It

In our series on the HIPAA Administrative Simplification Security Rule, this is the second implementation specification for the Physical Safeguard Standard, Facility Access Controls. This implementation specification is addressable. Remember, addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act ARRA, signed by President Obama on February 17, 2009. What…

READ MORE

Contingency Plan-What This HIPAA Security Rule Administrative Safeguard Standard Means

This is the seventh Administrative Safeguard Standard of the HIPAA Administrative Simplification Security Rule.  It has five implementation specifications:  Data backup plan; Disaster recovery plan; Emergency mode operation plan; Testing and revision procedures; and Applications and data criticality analysis.  The first three are required; the last two are addressable.  Addressable does not mean optional.  Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard.  Further, as HIPAA.com has noted earlier, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010. If a fire swept through a covered entity’s facility, the covered entity would…

READ MORE