Health Data Management Magazine's May issue notes that the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) posted 47 breach of unsecured protected health information in the United States between September 22, 2009 and February 15, 2010.
The criteria for posting is at least 500 individuals must be affected. In one case, 500,000 people were affected. The actual list is here. As of today there were seven more breaches posted.
Unfortunately the information on the list is very disappointing. There are no details of any significance about the breaches. For example, here is the latest one on the list (as of 4/26/10):
Tomah Memorial Hospital
Approx. # of Individuals Affected: 600
Date of Breach: 3/19/10
Type of Breach: Other
Location of Breached Information: Other
While creating this "wall of shame" has some value, posting more details would surely be more valuable to all health care provider security practitioners.
American Medical News reported today (Feb 1, 2010) that the first lawsuit has been filed by a state Attorney General for a personal medical information privacy violation under the HITECH Act. The HITECH Act, part of the 2009 stimulus bill, was designed to strengthen HIPAA, which until then had limited penalties for violations.
If the HITECH Act itself was not enough of a wake up call, this lawsuit surely ought to be.
The Department of Health and Human Services this week published the regulations for the "breach notification" provision of the Health Information Technology for Economic and Clinical Health (HITECH) Act, of the American Recovery and Reinvestment Act of 2009 (ARRA). In effect, this is an extension of HIPAA and further strengthens HIPAA's Privacy Rule and Security Rule.
The new breach notification regulations are in a 121 page document. HHS also issued a press release that summarizes the new regulations.
This type of breach notification regulation started in California with SB 1386 which went into effect on July 1, 2003. Since then about 40 other states passed a similar law.
In 2008, California went on to pass a specific health care information protection law, SB 541, which requires notification of breaches and financial penalties up to $250,000 per incident. Here is a Los Angeles law firm's presentation on it. Since SB 541 went into effect on January 1, 2009, there have been over 800 incidents reported.