At least three state government agencies are investigating the Health Net breach, which affected an estimated 1.9 million individuals and involved nine server drives missing from a California data center managed by IBM. The Department of Health and Human Services' Office for Civil Rights, which adds breach incidents to its official tally once details are confirmed, has not yet placed the Health Net incident on its list.
OCR added only nine incidents to its official tally in the past month. But those included a health information breach at New York City Health and Hospitals Corp. that affected 1.7 million. That incident involved the theft of backup tapes from an unlocked, unattended truck.
HITECH Act MandateOCR began posting incidents to its breach list on Feb. 22, 2010, for cases dating back to Sept. 22, 2009, when the HITECH Act breach notification rule took effect.
Under the interim final version of the breach notification rule, breaches affecting 500 individuals or more must be reported to OCR as well as the individuals affected, within 60 days.
More than half of the 249 major incidents reported so far have involved the theft or loss of computer devices, leading many regulators and security experts to highlight the need to encrypt laptops and other devices. But the Health Net and New York City Health and Hospitals Corp. incidents, which may have affected a combined total of 3.6 million, are calling attention to the need to protect storage media as well.
Meanwhile, OCR is ramping up its enforcement efforts. For example, it announced penalties in HIPAA privacy violation cases against Cignet Health and Massachusetts General Hospital. While the Cignet case involved a failure to provide patients with copies of their records, the Mass General case involved a breach stemming from the loss of paper records on a subway train.
"It is clear that we will be vigorously enforcing these requirements, and, with the increased penalties that are available under the HITECH Act, covered entities need to pay attention and take whatever steps they can to prevent complaints in the first place by meeting their obligations to the fullest," said Susan McAndrew, OCR's deputy director of health information privacy (See: OCR's McAndrew on Enforcing HIPAA). McAndrew also pointed out that OCR is continuing to investigate all the major breach incidents.
OCR has asked for more funding in its fiscal 2012 budget for its HIPAA and HITECH Enforcement efforts. For example, it's seeking $1.3 million to investigate smaller breach incidents, which must be reported to OCR annually under the HITECH Act.
This spring, state attorneys general will get training on how to file HIPAA federal civil lawsuits, as enabled under the HITECH Act. And a HITECH-mandated HIPAA audit program is still in the works, with at least one pilot likely this year, McAndrew said.
A final version of the HITECH breach notification rule, which could further clarify exactly what types of incidents need to be reported, is expected sometime this year. The interim version contains a controversial "harm standard," which allows organizations to conduct a risk assessment to determine if an incident represents a significant risk of harm and, thus, must be reported.