HHS Posts First Privacy Breach Reports
The Department of Health and Human Services received reports of 36 large-scale privacy breaches in the last months of 2009 and early 2010. The department has posted basic descriptions of the breaches on its Web site in accordance with new federal rules.
Under the ARRA breach notification provisions, HIPAA covered entities and their business associates must notify HHS of any breaches affecting the unsecured protected health information of 500 or more people. The notification must be made without unreasonable delay and no later than 60 days from the discovery of the breach.
The rule went into effect September 22, 2009. Enforcement began this past Monday, February 22.
The majority of breaches resulted from lost or stolen hardware. The number of individuals affected ranged from a low of 501 (Alaska Department of Health and Social Services) to a high of 500,000 (Blue Cross Blue Shield of Tennessee). Providers, payers, and business associates appear on the list.
Covered entities and business associates must also report smaller breaches to HHS, but they may do so in a single report filed at the end of the year. Reports for 2009 are due by March 1, 2010. Organizations must notify breach victims directly for breaches of any size that they judge could result in harm.
Do three dozen large-scale breaches represent a lot or a little? Collectively they involved more than 1 million individuals in the first months of the reporting program. As HHS continues to compile and report incidents, a clearer picture of the prevalence of privacy breaches will emerge. Already the reports make clear that breaches are occurring across the industry, in both private and public entities, large and small.