HHS Reports 21M Affected by Health Data Breaches Since 2009
Another week, another data breach reported. Beth Israel Deaconess, Hartford Hospital and Stanford Hospital have all reported recent breaches of varying sizes. Since the HHS Office of Civil Rights (OCR) began publicly reporting breaches in September of 2009, almost 21 million individuals have been affected. Breach notification and reporting was mandated as part of the HITECH Act, beefing up privacy and security provisions in our electronic age. The act substantially expands the HIPAA Privacy and Security Rules and increases the penalties for HIPAA violations. HIPAA privacy and security are also required in two objectives for Eligible Professionals in Stage 1 Meaningful Use.
HHS defines a breach as:
A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.
Of total breaches disclosed by the OCR theft leads the way at 54%, followed by unauthorized access or disclosure (20%), loss (11%), hacking (6%), and improper disposal (5%).
So, where can you turn to for help and guidance? There are plenty of resources available for physicians and hospitals and BA’s. You can find a wealth of resource links on HHS website that includes:
- Breach Notification Regulation History
- Definition of Breach
- Unsecured Protected Health Information and Guidance
- Breach Notification Requirements
- Burden of Proof
- Instructions for Covered Entities to Submit Breach Notifications to the Secretary
Also, last month the OCR established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits. The protocol is organized around modules, representing separate elements of privacy, security, and breach notification.
[Related Article: Protocol for HIPAA Audits Released]
The National Institute of Standards and Technology (NIST) offers a free HIPAA tool to targets users that include but not limited to HIPAA covered entities, business associates, and other organizations providing HIPAA Security Rule implementation, assessment, and compliance services. The tool was funded by ARRA. You can download this tool here.