Covered entities have reported breaches of unsecured protected health information affecting 500 or more individuals to the Office for Civil Rights (OCR) nearly once every other day since the HIPAA privacy and security enforcer began posting the information 18 months ago.
The list, posted on the OCR breach notification website, hit the 300 mark this week. OCR went live with the site in February 2010, recording breaches that date back to September of 2009.
That's about 13 breaches per month dating back to the fall of 2009.
The website is part of the breach notification interim final rule, in effect since September 2009. OCR withdrew the rule a little more than one year ago from the hands of the Office of Management and Budget (OMB), which reviews rules for government agencies. OCR wanted more time to pursue changes to the rule.
The provisions in the rule include:
- Notice to patients of breaches "without reasonable delay" within 60 days
- Notice to covered entities by BAs when BAs discover a breach
- Notice to "prominent media outlets" on breaches of more than 500 individuals
- Notice to "next of kin" on breaches of patients who are deceased
- Notice to the Secretary of HHS of breaches of 500 or more without reasonable delay
- Annual notice to the Secretary of HHS of breaches of less than 500 of "unsecured PHI" that pose a significant financial risk or other harm to the individual, such as reputation
OCR Enforcement By the Numbers:
- 420: Complaints alleging a violation of the HIPAA Security Rule made to OCR since October 2009
- 192: Security complaints closed by OCR after investigation and appropriate corrective action
- 294: Open security complaints and compliance as of May 31, 2011
- 61,333: HIPAA Privacy Rule complaints since the compliance date in April 2003
- 55,858: Complaints resolved through investigation and enforcement (13,745); through investigation and finding no violation (7,132); and through closure of cases that were not eligible for enforcement (40,456).