The government is naming names! Today the Office of Civil Rights, part of the Department of Health and Human Services, did what they said all along that they will do – post the names of covered entities AND business associates who are involved in data breaches. The somewhat lengthy list of organizations involved in breaches of unsecured protected health information (PHI).
Protected Health Information (PHI) is a term used widely in HIPAA. PHI is information that can identify and individual, such as name, address, social security number, and clinical information about the individual. Part of the American Recovery and Reinvestment Act (ARRA) called the HITECH Act, section 13402, specifically requires a covered entity or business associate to notify HHS and the mass media of breaches of unprotected PHI involving more than 500 records. PHI that is encrypted is considered protected and, therefore, provides a safe harbor against breach notification.
Among those involved in the data breaches are hospitals, clinics, dentists, insurance companies, private medical practices (though it’s unclear as to why their names are being withheld), universities, state governments, and several Blue Cross Blue shield organizations.
More importantly, business associates – which are essentially service providers to covered entities – are not only listed but are named. Most of them are IT services providers to covered entities.
Data at rest appears to be the most common form of breach, most likely a result of lost laptops, backup tapes, and a seemingly missing server.
For more information on the February 18th enforcement, read Alex’s post on 3 Steps for Breach Notification Protection.
About Alex Zaltsman
Alex Zaltsman is the CEO of Experior Data Security and Encryption and a contributing expert to HITECH Answers. He can be reached at firstname.lastname@example.org, through his blog www.experiordata.com/blog or on Twitter: http://twitter.com/experiordata