HHS Reports on Breaches of Unsecured Protected Health Information

Posted on January 22, 2012 by Colin J. Zick

In its recent Annual Report to Congress on Breaches of Unsecured Protected Health Information, the Office of Civil Rights of the Department of Health and Human Services, we see confirmation of certain trends-- bigger breaches and breaches involving theft of electronic media:

Between January 1, 2010 and December 31, 2010, breaches involving 500 or more individuals also made up less than one percent of reports, yet accounted for more than 99 percent of the more than 5.4 million individuals who were affected by a breach of their protected health information. The largest breaches in 2010, like 2009, occurred as a result of theft. However, in comparison to 2009, in 2010, the number of individuals affected by the loss of electronic media or paper records containing protected health information was greater than the number of individuals affected by unauthorized access or human error.

Tags: , , , , , , , , ,

HIPAA Breaches Reported to OCR Near 300

Posted on July 11, 2011 by Colin J. Zick

When we last looked at OCR's reporting on HIPAA breaches impacting 500 or more individuals, back in May 2011, there had been 265.  This was up from September 2010, when there had been 191 such breaches. As of today, there as 292 listed.  Given that the last reported date of breach on the OCR's list is May 8, there are surely over 300 breaches that have now been reported.

Tags: , , , , , ,

Big HIPAA Breaches Now Number 265

Posted on May 2, 2011 by Colin J. Zick

When we last looked at OCR's reporting on HIPAA breaches impacting 500 or more individuals, back in September 2010, there had been 191 such breaches. In the intervening 7 months, that number has jumped to 265 such breaches listed on OCR's website.  It's safe to expect these figures will continue to climb for the foreseeable future.

Tags: , , , , , ,

What Is Inside Mass General's $1 Million HIPAA Settlement?

Posted on March 13, 2011 by Colin J. Zick

As we noted earlier this month, Massachusetts General Hospital recently entered into a $1 million Resolution Agreement  and Corrective Action Plan with the Department of Health and Human Services' Office of Civil Rights.  This settlement stemmed from an incident on March 9, 2009, when a MGH employee was commuting on the subway, "removed documents containing PHI from her bag and placed them on the seat beside her. The documents were not in an envelope and were bound with a rubber band. Upon exiting the train, the MGH employee left the documents on the subway train and they were never recovered. These documents contained the PHI of 192 individuals."  There was, however, no indication that any of the PHI was ever used in any way.

While the $1 million penalty is an attention-grabber, the elements of the Corrective Action Plan are also likely to be at least as costly and will be very burdensome.  They include:

  • three (3) years of reporting obligations from MGH to OCR;
  • adoption of new policies that OCR must review and approve;
  • training on these new policies that OCR must review and approve;
  • retention of a monitor who will conduct:
    • unannounced site inspections of MGH’s locations/departments/practices;
    • interviews with any members of the workforce who use PHI; 
    • interviews with any members of the workforce involved in implementing the safeguards required by the CAP;
    • inspection of a sample of laptops and USB flash drives that contain ePHI and are under the control of workforce members to ensure that such devices satisfy all applicable requirements of the Policies and Procedures; and
    • inspection of relevant documents and interviews with workforce members for the purpose of confirming consistent training, implementation, and enforcement of the Policies and Procedures among workforce members.
  • submission of semi-annual monitor reports;
  • self-reporting of any "significant violations" of the CAP;
  • submission of an implementation report after 120 days of the CAP; and
  • annual reports to the monitor, which will be passed on to OCR.

This is a pretty heavy burden to carry around for three years.   In fact, the CAP looks much more like a Corporate Integrity Agreement of the type entered into by a pharmaceutical manufacturer after a health care fraud settlement.  I suspect that is precisely the message that OCR wanted to send.

Tags: , , , , , , , , , , , ,

Compliance Approaches in the Changing HIT Privacy and Security Landscape: How You Can Nurture a Culture of Health Information Security and Privacy

Posted on March 2, 2011 by Colin J. Zick

My slides from this presentation, "Compliance Approaches in the Changing HIT Privacy and Security Landscape:  How You Can Nurture a Culture of Health Information Security and Privacy" cover HIPAA and HITECH developments and compliance, with a focus on breaches and OCR settlements/penalties, including:

Tags: , , , , , , , ,

500 Is a Magic Number: Health Information Breaches Impacting 499 or Fewer Patients Likely Go Uninvestigated By OCR

Posted on February 21, 2011 by Colin J. Zick

In the recently-released fiscal 2012 budget for HHS, a dirty little secret has been acknowledged:  the Office of Civil Rights does not have the resources to review all reported breaches of health information.  In fact, if you have a breach that impacts up to 499 people, you are unlikely to hear from OCR at all:

Current OCR practice is to validate, post to the HHS website, and
subsequently investigate all breach reports that impacted more than 500 individuals.
Breach reports that impacted fewer than 500 individuals are compiled for future reporting
to Congress; however they are treated as discretionary and only investigated if resources
permit.

While this prioritization makes a certain amount of sense, it leaves the vast majority of breaches unreviewed.  According to that same budget report, "[a]s of September 30, 2010, OCR has received a total of 9,300 breach reports (191 impact more than 500 individuals and 9,109 impact less than 500 individuals)."  That's a mere 2% of all breaches that have OCR's full attention.  The takeaway from this is to count your breaches carefully before reporting, as there seems to be a real benefit to being able to report an impact on less than 500 individuals.

Tags: , , , , , , , , , , ,

Public Discussion on Confidentiality and Privacy Issues Related to Psychological Testing

Posted on September 8, 2010 by Colin J. Zick

The Substance Abuse and Mental Health Services Administration ("SAMHSA"), in close cooperation with the Department of Health and Human Services Office for Civil Rights ("OCR"), is conducting a study of the “Confidentiality and Privacy Issues Related to Psychological Testing Data.”  This study was specifically called for in section 13424 of the Health Information Technology for Economic and Clinical Health ("HITECH") Act.  

HIPAA’s Privacy Rule includes special protections relating to the use and disclosure of psychotherapy notes; this SAMHSA study will address whether these special protections also be applied to test data that is related to direct responses, scores, items,forms, protocols, manuals or other materials that are part of a mental health evaluation.

To this end, SAMHSA has announced a regional public meeting in Chicago, Illinois,on October 7, 2010, to give the public a chance to learn about this issue and express opinions. Registration is necessary, but there is no charge for attending. Another regional meeting will beheld this year in Los Angeles in late November or early December.  The meeting is designed for mental health professionals, consumers, health care providers and health plans, agency administrators, health information technology experts, and test developers

The significant concepts and issues being addressed in this project include:

·        What activities and information are considered the “test data” that is part of a mental health evaluation? What are the relevant distinctions among test materials, raw data, and reports or assessments with respect to the level of protection currently afforded and/or otherwise necessary?

·        Does the individual (i.e., the subject of the test data) need to know, or have an interest in, inspecting or obtaining a copy of such information?

·        Are there circumstances under which test data should be disclosed to third parties?

·        Should the individual’s authorization be required prior to such a disclosure? To whom should test data be released?

·        How would affording mental health test data a higher level of protection affect the workflow in medical, behavioral health, or psychological practices? Are there any additional implications with respect to clinical integration efforts and the increasing availability of mental health services in general health care settings?

·        How is the issue of greater protection for test data affected by State and Federal laws other than HIPAA?

·        In light of the increasing reliance on electronic health records and the exchange of electronic health data, what are the implications of setting more stringent requirements for the use and disclosure of test data?

Small groups will consider these and other central questions following brief presentations by SAMHSA’s and OCR’s study team.

Tags: , , , , , , ,

Update on HIPAA Business Associate Regulations -- OCR Says They Still Aren't Ready, Gives No Date

Posted on March 18, 2010 by Colin J. Zick

In a notice apparently posted March 17, 2010, the Office of Civic Rights of the Department of Health and Human Services ("OCR") acknowledged its delay in issuing regulations for HIPAA business associate agreements.  Those regulations are now a month overdue and from OCR's language, they do not appear imminent:

OCR will implement important privacy and security provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act through notice and comment rulemaking, as required by the Administrative Procedure Act.  These provisions include: business associate liability; new limitations on the sale of protected health information, marketing, and fundraising communications; and stronger individual rights to access electronic medical records and restrict the disclosure of certain information.  OCR continues work on a Notice of Proposed Rulemaking (NPRM) regarding these provisions.  Although the effective date (February 17, 2010) for many of these HITECH Act provisions has passed, the NPRM and the final rule that follows will provide specific information regarding the expected date of compliance and enforcement of these new requirements.

(Emphasis added.)  What does seem clear from this notice is that OCR enforcement of the underlying law is not imminent and that more guidance on that will come when the regulations are issued.

 

Tags: , , , , ,

HHS Reports 35 Breaches Impacting 500 or More People

Posted on March 2, 2010 by Colin J. Zick

At the end of February, the HHS Office of Civil Rights (“OCR”) posted on its website a list of HIPAA “covered entities” that have reported breaches of unsecured health information affecting more than 500 individuals.  OCR’s posting showed 35 health data breaches that impacted over 700,000 individuals (with individual breaches ranging in size from 359,000 individuals, due to the theft of a  laptop to 501 individuals impacted by the theft of a portable USB device). 

This posting by OCR was required by the August 2009 Interim Final Rule, which was issued pursuant to the HITECH Act.  In particular, § 164.408 of this breach notification interim final rule implements § 13402(e)(3) of the HITECH Act. The rule became effective September 23, 2009. 

Under this rule, breaches that affected 500 or more individuals must be reported to OCR within 60 days, via an OCR online notification form.  Training materials and related guidance on breach notification can be found on the OCR web site.  

Tags: , , , , , ,

HIPAA Breach Notification Made Simple -- Just Fill in the Blanks

Posted on December 7, 2009 by Colin J. Zick

The Department of Health and Human Services’ Office of Civil Rights (“OCR”) has tried to make a HIPAA security breach easy to report, with its newly-released online “Notice to the Secretary of HHS of Breach of Unsecured Protected Health Information.” 

The online form is straightforward, featuring pull-down options tied to the new HITECH rules:  it will let you report whether your breach is for more than 500 individuals (or fewer than that), the type and location of the breach, etc.  OCR estimates the form will take 15-30 minutes to complete. 

Interestingly, the form does not require a statement on penalty of perjury from the submitting party, only a statement that I attest, to the best of my knowledge, that the above information is accurate.”  This could be seen to be an attempt to encourage reporting, by not saddling breach reporters with potential liability for making false statements to the government.  However, it would also seem to encourage anonymous reporting, via the use of an alias.

Tags: , , ,

Good News and Bad News: An Employer Is Hiring; It's The HHS Office of Civil Rights!

Posted on July 17, 2009 by Colin J. Zick

In an email to its listserv earlier today, the federal Department of Health and Human Services announced it "is expanding its health information privacy enforcement team."  In particular, HHS is hiring for two new positions are located in HHS's "Office of the Secretary, Office for Civil Rights (OCR), Office of the Deputy Director Health Information Privacy (ODDHIP)."  As described on USAJOBS.GOV, the people to be hired "will be responsible for reviewing, analyzing, implementing, promoting, or improving proposed or existing programs or policies needed to implement OCR's authority for ensuring compliance with the privacy of health information."  If you are a privacy officer, this could be the federal government stimulus you've been waiting for!

Tags: , , ,