In the past month, 16 incidents that occurred in 2010 or 2011 were added to the tally, which the Department of Health and Human Services' Office for Civil Rights regularly updates. These include the largest breach on the list so far - the Health Net incident, which affected 1.9 million - and a breach at Eisenhower Medical Center, which affected more than 500,000.
Although only 11 incidents that occurred this year have made it to the federal list so far, those cases - because of the big numbers for Health Net and Eisenhower - affected a combined total of 2.5 million.
At least four state agencies are investigating the Health Net incident in January, which involved hard drives missing from a data center managed by IBM (See: Health Net Breach Tops Federal List). The OCR list still labels the type of breach at Health Net as "unknown" and the location as "other." The office amends its list, fine-tunes the total number of individuals affected and adds details as its investigations continue.
The second largest incident on the OCR list, which occurred last December at New York City Health and Hospitals Corp., involved the theft of backup tapes stolen from a truck transporting them for secure storage (See: New York Breach Affects 1.7 Million).
Value of EncryptionThe Health Net and New York cases have placed a spotlight on the need to take adequate precautions to keep data centers physically secure and to protect backup tapes with encryption. In an interview, security expert Andrew Weidenhamer of SecureState offers insights on these topics (See: Physical Security: Timely Tips). For example, he says any device or media that stores sensitive patient information, including backup tapes, should be encrypted. "Encryption is the single best way to protect sensitive data," he stresses.
To help call attention to the value of encryption and other protections, the Privacy and Security Tiger Team has recommended that participants in Stage 2 of the HITECH Act electronic health record incentive program be required to verify how they protect stored patient information (See: Privacy, Security Proposals Advance).
The Eisenhower Medical Center incident in March stemmed from the theft of a desktop computer (See: 514,000 Notified of Stolen Computer). More than half of the 265 major incidents reported so far have involved the theft or loss of computer devices. Roughly 20 percent, including the Health Net and New York City Health and Hospitals incidents, have involved business associates.
HITECH Act MandateOCR began posting incidents to its breach list on Feb. 22, 2010, for cases dating back to Sept. 22, 2009, when the interim final version of the HITECH Act breach notification rule took effect.
The rule requires healthcare organizations to notify those affected by breaches of any size. Major incidents, defined as those affecting 500 or more individuals, must be reported to the Office for Civil Rights within 60 days. But breaches of information that's been encrypted using a specific standard do not have to be reported.
A final version of the HITECH breach notification rule, which could further clarify exactly what types of incidents need to be reported, is expected later year. The interim version contains a controversial "harm standard," which allows organizations to conduct a risk assessment to determine if an incident represents a significant risk of harm and, thus, must be reported.
OCR has asked for more funding in its fiscal 2012 budget for its HIPAA and HITECH Enforcement efforts. For example, it's seeking $1.3 million to investigate smaller breach incidents, which must be reported to OCR annually under the HITECH Act.
This spring, state attorneys general are getting training on how to file HIPAA federal civil lawsuits as enabled under the HITECH Act. And a HITECH-mandated HIPAA compliance audit program is still in the works, with at least one pilot likely this year, says Susan McAndrew, OCR's deputy director of health information privacy (See: OCR's McAndrew on Enforcing HIPAA.)