HHS Reports on Breaches of Unsecured Protected Health Information

Posted on January 22, 2012 by Colin J. Zick

In its recent Annual Report to Congress on Breaches of Unsecured Protected Health Information, the Office of Civil Rights of the Department of Health and Human Services, we see confirmation of certain trends-- bigger breaches and breaches involving theft of electronic media:

Between January 1, 2010 and December 31, 2010, breaches involving 500 or more individuals also made up less than one percent of reports, yet accounted for more than 99 percent of the more than 5.4 million individuals who were affected by a breach of their protected health information. The largest breaches in 2010, like 2009, occurred as a result of theft. However, in comparison to 2009, in 2010, the number of individuals affected by the loss of electronic media or paper records containing protected health information was greater than the number of individuals affected by unauthorized access or human error.

Tags: , , , , , , , , ,

What Is Inside Mass General's $1 Million HIPAA Settlement?

Posted on March 13, 2011 by Colin J. Zick

As we noted earlier this month, Massachusetts General Hospital recently entered into a $1 million Resolution Agreement  and Corrective Action Plan with the Department of Health and Human Services' Office of Civil Rights.  This settlement stemmed from an incident on March 9, 2009, when a MGH employee was commuting on the subway, "removed documents containing PHI from her bag and placed them on the seat beside her. The documents were not in an envelope and were bound with a rubber band. Upon exiting the train, the MGH employee left the documents on the subway train and they were never recovered. These documents contained the PHI of 192 individuals."  There was, however, no indication that any of the PHI was ever used in any way.

While the $1 million penalty is an attention-grabber, the elements of the Corrective Action Plan are also likely to be at least as costly and will be very burdensome.  They include:

  • three (3) years of reporting obligations from MGH to OCR;
  • adoption of new policies that OCR must review and approve;
  • training on these new policies that OCR must review and approve;
  • retention of a monitor who will conduct:
    • unannounced site inspections of MGH’s locations/departments/practices;
    • interviews with any members of the workforce who use PHI; 
    • interviews with any members of the workforce involved in implementing the safeguards required by the CAP;
    • inspection of a sample of laptops and USB flash drives that contain ePHI and are under the control of workforce members to ensure that such devices satisfy all applicable requirements of the Policies and Procedures; and
    • inspection of relevant documents and interviews with workforce members for the purpose of confirming consistent training, implementation, and enforcement of the Policies and Procedures among workforce members.
  • submission of semi-annual monitor reports;
  • self-reporting of any "significant violations" of the CAP;
  • submission of an implementation report after 120 days of the CAP; and
  • annual reports to the monitor, which will be passed on to OCR.

This is a pretty heavy burden to carry around for three years.   In fact, the CAP looks much more like a Corporate Integrity Agreement of the type entered into by a pharmaceutical manufacturer after a health care fraud settlement.  I suspect that is precisely the message that OCR wanted to send.

Tags: , , , , , , , , , , , ,

500 Is a Magic Number: Health Information Breaches Impacting 499 or Fewer Patients Likely Go Uninvestigated By OCR

Posted on February 21, 2011 by Colin J. Zick

In the recently-released fiscal 2012 budget for HHS, a dirty little secret has been acknowledged:  the Office of Civil Rights does not have the resources to review all reported breaches of health information.  In fact, if you have a breach that impacts up to 499 people, you are unlikely to hear from OCR at all:

Current OCR practice is to validate, post to the HHS website, and
subsequently investigate all breach reports that impacted more than 500 individuals.
Breach reports that impacted fewer than 500 individuals are compiled for future reporting
to Congress; however they are treated as discretionary and only investigated if resources
permit.

While this prioritization makes a certain amount of sense, it leaves the vast majority of breaches unreviewed.  According to that same budget report, "[a]s of September 30, 2010, OCR has received a total of 9,300 breach reports (191 impact more than 500 individuals and 9,109 impact less than 500 individuals)."  That's a mere 2% of all breaches that have OCR's full attention.  The takeaway from this is to count your breaches carefully before reporting, as there seems to be a real benefit to being able to report an impact on less than 500 individuals.

Tags: , , , , , , , , , , ,

HHS Reports 35 Breaches Impacting 500 or More People

Posted on March 2, 2010 by Colin J. Zick

At the end of February, the HHS Office of Civil Rights (“OCR”) posted on its website a list of HIPAA “covered entities” that have reported breaches of unsecured health information affecting more than 500 individuals.  OCR’s posting showed 35 health data breaches that impacted over 700,000 individuals (with individual breaches ranging in size from 359,000 individuals, due to the theft of a  laptop to 501 individuals impacted by the theft of a portable USB device). 

This posting by OCR was required by the August 2009 Interim Final Rule, which was issued pursuant to the HITECH Act.  In particular, § 164.408 of this breach notification interim final rule implements § 13402(e)(3) of the HITECH Act. The rule became effective September 23, 2009. 

Under this rule, breaches that affected 500 or more individuals must be reported to OCR within 60 days, via an OCR online notification form.  Training materials and related guidance on breach notification can be found on the OCR web site.  

Tags: , , , , , ,