Recently, the Department of Health and Human Services Office for Civil Rights (OCR), released its annual report on breaches of protected health information (PHI). Under the Breach Notification Rule, covered entities are required to issue notifications following breaches of unsecured PHI. Examples of covered entities include health care providers and health plans, such as HMOs. Covered entities must notify affected individuals of a breach without unreasonable delay and no later than 60 calendar days following discovery of the breach. Notification to the individuals affected by the breach must include:
- Covered entity’s contact information for individuals to ask questions and learn additional information;
- A brief description of the breach, including the date of the breach and discovery of the breach, if known;
- A description of the types of unsecured PHI involved in the breach;
- Any steps individuals should take to protect themselves from potential harm resulting from the breach; and
- A brief description of what the covered entity is doing to investigate the breach, mitigate harm to individuals, and to protect against future breaches.
In addition, for breaches implicating fewer than 500 individuals, covered entities must submit a report to OCR no later than 60 days after the end of the calendar year in which the breach was discovered. Breaches involving 500 or more individuals require the covered entity to provide notice to OCR at the same time the affected individuals are notified. Covered entities must notify OCR by filling out and electronically submitting a form available on OCR’s website.
In its annual report to Congress on breaches of unsecured PHI, OCR reported 236 breaches of PHI which affected over 500 people in 2011 and 222 in 2012. The 236 breaches in 2011 affected in total 11,415,185 individuals, while 3,273,735 were affected in 2012. Per department policy, OCR conducted investigations of each breach that affected over 500 individuals.
Following their investigations, OCR found that the primary reason for breaches affecting over 500 people in 2011 and 2012 was theft of portable electronics or paper containing PHI. The second leading cause of breaches was unauthorized access of records containing PHI. For example, in 2011 the largest breach occurred because of a loss of backup tapes, affecting 4.9 million people. Similarly, in 2012, 116,506 individuals were affected when an unencrypted laptop containing PHI was stolen.
In addition to its report on PHI breaches, OCR released a report regarding complaints alleging Health Insurance Portability and Accountability Act (HIPAA) violations. In this second report, OCR noted that it received 77,190 such complaints. OCR stated that by the end of the 2012 calendar year, it resolved approximately 91% of the complaints. Among those resolved, OCR noted that 42,793 of the allegations did not warrant enforcement of the HIPAA Rules. With that said, of all the investigated complaints between 2003 and 2012, OCR resolved 18,559 of them by providing technical assistance to resolve compliance problems and requiring covered entities to take corrective action. However, in 8,907 complaints, OCR found no HIPAA violations.
Since the enactment of the HIPAA Privacy and Security Rules, Wachler & Associates has counseled covered entities in HIPAA compliance. To ensure they are compliant, covered entities and business associates should update security policies and procedures and provide ongoing employee HIPAA compliance training. Wachler & Associates can assist you in implementing these protections. If you have any questions or require assistance developing and implementing a compliance plan for your entity, please contact an experienced healthcare attorney at 248-544-0888.