Interesting: the three new breaches on HHS’s breach tool that I hadn’t heard about already all involved paper records. Here are the entries from their tool showing the name(s) of involved entities, the number of patients affected or notified, the date of the breach, and the type of breach:
Medicare Fee-for-Service Program, MD, “Cahaba Government Benefit Administrators LLC“,” 13,412″, 4/11/2011, Unauthorized Access/Disclosure , Paper,,
Cahaba is a private contractor for Centers for Medicare & Medicaid Services that administers Medicare fee-for-service programs. I see no notice linked from their web site home page at this time.
Tuba City Regional Health Care Corporation, AZ,, “2,000” , 4/1/2011, Loss/Improper Disposal,Paper,,
Once on the TCR section of their web site, I did find a notice that reads, in part:
Recently we discovered that dietician treatment cards were missing during a department move from the main hospital to the new Outpatient Primary Care Center. Treatment cards included personal health information and phone numbers used by the dietician to counsel patients. Upon learning of this, we launched an internal investigation to try to determine what happened to the cards. We believe that the cards were inadvertently destroyed in the facility’s trash compacter.
A description of the types of unsecured protected health information involved in the breach:
Dietician treatment cards included but not limited to: patient name, date of birth, phone number, medical record number, treatment plan, progress notes, medications, diagnoses, procedures, height, weight, visit dates, and diagnostic findings.
And finally:
Navos, WA,,”2,700″, 3/15/2011, Unknown, Paper,,
Navos Mental Health Solutions in Washington provides both outpatient and inpatient services. There does not seem to be any notice on their web site at this time that I can find.
So… over 17,000 records with PHI in three incidents that many people would not even try to track because gosh darn it, big hacks of electronic databases are “sexier” than breaches involving paper records.
For years, I’ve been advocating to pay more attention to paper breaches. At the risk of sounding like a broken record: both Congress and states need to look at existing and proposed laws to see if they mandate adequate security of paper records and breach notification for breaches involving paper records. Only a minority of states seemingly require breach notice of this kind. While HIPAA requires notification for covered entities, what about businesses that are not HIPAA-covered entities? Shouldn’t they also be required to secure and notify?