Recently, the Secretary of Health and Human Services submitted to Congress an annual report containing the number and nature of breaches of unsecured protected health information reported to the Office of Civil Rights (“OCR”) as required by the Health Insurance Portability and Accountability Act (“HIPAA”), and the actions taken in response to those breaches (“Report”). The Report was submitted to the Senate Committee on Finance, the Senate Committee on Health, Education, Labor, and Pensions, the House Committee on Ways and Means, and the House Committee on Energy and Commerce. The Report provides information for the breaches reported to the OCR that occurred in calendar years 2011 and 2012 as well as provides some cumulative data on breaches reported since September 23, 2009.
The Report addresses large breaches and smaller breaches separately. Large breaches involve 500 or more individuals and notification to the OCR of a large breach must occur contemporaneously with the notice to the affected individuals. For 2011, the OCR received 236 reports of large breaches which affected approximately 11,415,185 individuals. For large breaches occurring in 2012, the OCR received 222 reports, which affected approximately 3,273,735 individuals. Cumulatively, from September 23, 2009, through December 31, 2012, the OCR received 710 reports of large breaches affecting a total of approximately 22.5 million individuals.
Of the 236 large breaches in 2011, OCR received 150 reports of breaches occurring at health care providers, 23 at health plans, and 63 at business associates. Theft and loss of protected health information were the most common causes of large breaches occurring in 2011. Of the 222 breaches in 2012, there were 150 reports of breaches occurring at health care providers, 55 at health plans, 16 at business associates, and 1 report of a breach at a healthcare clearinghouse. In 2012, theft and hacking/IT incidents were the top causes of large breaches.
Breaches of unsecured protected health information affecting less than 500 individuals are to be reported to the OCR no later than 60 days after the end of the calendar year in which the breaches are discovered. For 2011, the OCR received approximately 25,705 reports of smaller breaches affecting approximately 151,605 individuals. For 2012, the OCR received approximately 21,194 reports of smaller breaches affecting approximately 165,135 individuals. Several of the reports for 2011 and 2012 involved misdirected communication where for example, clinical or claims records of one individual was mistakenly mailed or faxed to another individual or where test results were sent to the wrong individual.
For more information, the Report can be found here.