Doug Pollack, Chief Marketing Officer for ID Experts, wrote the following article, questioning why we’re not yet seeing any reports of breaches affecting 500 or more posted to HHS’s website under the provisions of HITECH that went into effect September 23. Keeping in mind that not all breaches involving healthcare organizations involve unsecured protected health information, that it takes time to figure out a breach and report it, that HHS gave entities an “out” by inserting a “harm threshold” that Congress did not want or legislate, and that HHS may not have anyone dedicated to updating their web site, I’m not particularly surprised that we’re not seeing anything on HHS’s web site yet. But like Doug, I keep watching their site, too.
Since the HITECH Act data breach notification provisions became effective this past September 23, 2009, I’d recently become curious about the number and nature of data breaches that would start to appear on the website at the Department of Health and Human Services (HHS).
The HHS Rules require healthcare organizations (specifically HIPAA covered entities) to report to HHS any data breach incidents that have affected over 500 individuals, shortly after the breach is discovered.
I noticed that the Identity Theft Resource Center (ITRC) 2009 ITRC Breach Report, a terrific compendium of public information from numerous sources on data breach incidents, had captured numerous healthcare data breaches since the September 23rd effective date.
And of course there have been several very high profile healthcare data breaches recently including the Blue Cross Blue Shield Assocation breach that affected over 850,000 of their medical providers, as well as the recent Health Net data breach affecting over 1.5MM individuals.
So with great anticipation I visited the HHS website where there is a section on the Breach Notification Rule and clicked on the following link:
“View Breaches Affecting 500 or More Individuals. OCR must post a list of breaches that affect 500 or more individuals. View a list of these breaches.”
And surprisingly, there was nothing there.
Now, it is very hard to imagine that no data breaches have been detected since September 23rd that affected over 500 individuals and would have had the potential to lead to harm for the affected population.
So, I’m perplexed as to why there aren’t any data breaches over 500 individuals yet listed by HHS.
I guess it is possible that some healthcare providers may still be unaware of the reporting mandate, but it would seem unwise of others that are aware of the breach notification provisions and have experienced a sizable data breach to neglect to comply with the mandatory HHS reporting requirement.
If anyone can shed light on the lack of content on the HHS data breach notification site, I think it would be of interest to all of us who are watching to see whether the public reporting provisions of the HITECH Act will result in more responsible behavior by entities to expose our protected health information (PHI).
Medical Identity Theft Risks
It is unfortunate that while we have very clear rights to access and correct our financial records, we don’t have similar rights when it comes to our medical records.
While this hasn’t been a high level concern for patients up until now, because the majority of fraud thus far has mostly impacted the healthcare insurers, the implications for all of us are getting more and more serious.
This segment describes a situation where a young woman’s social security number at the Red Cross became associated with a patient who visited a clinic in another state, years ago, who had AIDS.
It illustrates the difficulty that one has in correcting such issues with our medical identities.
—
The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com