Security Breaches

Recent federal laws are attempting to tackle health security breaches and make them more transparent. The HITECH Act enacted in 2009 requires entities covered under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to provide notification of breaches of unsecured protected health information. HHS also must prepare a report to Congress about these breaches.

If a breach involves 500 or more individuals, the entity must notify the HHS Secretary at the same time the affected individuals are notified of the breach. These breaches are posted on the HHS website.

According to HHS’ annual report to Congress in 2009, HHS received 45 reports of breaches involving 500 or more individuals occurring during the approximately three-month reporting period in 2009 (Sept. 23, 2009, to Dec. 31, 2009) and 207 reports in calendar year 2010, the first full calendar year for reporting.

In 2010, approximately 5.4 million individuals were affected by these large breaches. Theft was the most common reported cause of large breaches.

“Among the 207 breaches that affected 500 or more individuals, 99 incidents involved theft of paper records or electronic media, together affecting approximately 2,979,121 individuals,” the report stated. “Loss of electronic media or paper records affected approximately 1,156,847 individuals. Unauthorized access to, or uses or disclosures of, protected health information affected approximately 1,006,393 individuals. Human or technological errors, or other failures to take adequate care of protected health information, affected approximately 78,663 individuals. Improper disposal of paper affected approximately 70,279 individuals. In addition to these five categories of breaches, the remaining large breaches were reported with an unknown cause or the covered entity’s description demonstrated uncertainty as to the exact cause.”

Back to November Articles