We know this because a new federal rule requires the reporting of such breaches to the Office for Civil Rights in the Department of Health and Human Services. The OCR on Feb. 22 launched a Web site listing the initial batch of health care organizations that reported breaches (see list, pages 34 and 36).
The posting, which the OCR will regularly update, is mandated under the HITECH Act. Breach notification rules from HHS and the Federal Trade Commission (covering personal health records vendors) were published in August 2009 and have been in effect since last September.
The breach notification rule and its published listings, combined with other provisions in HITECH, have "reinvigorated" information protection compliance efforts at covered entities, says Susan McAndrew, deputy director for health information privacy in the OCR, which enforces health privacy laws.
McAndrew has more than two decades of federal government experience and for the past decade has worked primarily on HIPAA privacy issues at HHS. A practicing attorney before entering public service, she is the senior advisor on privacy matters to OCR Director Georgina Verdugo.
"Privacy really is back in the forefront of most conversations in the past year," says the nation's top health privacy cop. "New penalties which scale up to $50,000 per violation really are getting the attention of the industry."
Some question the OCR's past aggressiveness in hunting down and punishing privacy offenders. But the office has always preferred working with violators to resolve compliance issues and improve security, lowering the boom only in egregious instances. Since 2004, only a small number of organizations-notably Providence Health & Services ($100,000) and CVS/Pharmacy ($2.25 million)-have been fined for HIPAA privacy rule violations. At least five individuals have pled or been found guilty of criminal violations of the rule.
Data breaches put individuals at increased risk of identity theft and other criminal uses of their sensitive, private data. And for organizations that must report breaches and notify individuals, the consequences to their credibility, and pocketbook, can be severe.
BlueCross and BlueShield of Tennessee officials have already spent $7 million and were still working in March to identify and notify 500,000-plus members of a data breach that occurred six months earlier.
Further, Connecticut Attorney General Richard Blumenthal in January became the first state lawyer-under jurisdiction granted to attorneys general in HITECH to enforce the HIPAA privacy and security laws-to sue a covered entity, insurer HealthNet of Connecticut Inc., for a breach of protected health information (see story, page 30).
Stakeholders will debate whether the breach notification rule goes too far, or not far enough. But there's little doubt that it's going to make the threat-and consequences-of data security breaches seem a little more real to providers and insurers that have for years been able to deal with breaches out of the public eye.
Under the HHS rule, notification is required from HIPAA-covered entities to affected individuals within 60 days of a breach. Within that period, covered entities must notify HHS and local media when a breach affects more than 500 individuals. Smaller breaches must be annually reported to HHS. Business associates of HIPAA-covered entities must notify the affected covered entity of breaches.
Covered entities do not have to give notification of breaches if the information is encrypted. There is another exception that wasn't authorized in the HITECH statute but HHS added in the regulation: If covered entities conduct a risk assessment of the breach and determine no consequential harm has resulted or will result from the breach, they don't have to report it.
Lisa Gallagher, senior director of privacy and security at the Healthcare Information and Management Systems Society in Chicago, has mixed feelings on the harm threshold for notifications. "I think it could be used as a loophole." On the other hand, the threshold may encourage organizations to conduct a more thorough assessment of the breach than they otherwise may have, she notes.
The breach rule is an interim final rule that went through a public comment period before becoming effective and could be changed to some degree at HHS discretion through a final rule.
McAndrew at the Office for Civil Rights would not comment on whether HHS is considering any changes to the breach rule. Federal officials are constrained in what they can say about possible changes to rules that aren't final.
But Gallagher is confident that officials understand there are concerns that the threshold is a loophole. "I have seen them demonstrate over and over that they are taking input from the industry and considering it."
Enhanced Protection
Along with the breach notification rule and expanded jurisdiction to attorneys general, the HITECH Act further strengthened protection of protected health information and expanded patient control over their information. These changes include:
* Applying requirements-and penalties-of the privacy and security rules directly to business associates as if they were covered entities;
* Stiffening civil penalties-up to $50,000 per violation-and enabling the levying of penalties on individuals within a covered entity.
* Giving individuals the right to request from covered entities an accounting of all disclosures of their protected health information from electronic health records systems;
* Granting individuals the right to receive an electronic copy of their personal health information maintained in an EHR;
* Requiring covered entities to limit uses and disclosures of personal health information to the "minimum necessary" to conduct a particular function;
* Restricting use of patient information for marketing purposes; and
* Enabling the HHS Office for Civil Rights to conduct periodic audits to ensure covered entities and business associates are complying with the privacy and security rules.
The breach rule has increased the attention given to the privacy and security rules to some degree, says Gallagher at HIMSS. And that heightened awareness certainly was further propelled by publication of the breach list in February. "It certainly has been a topic of conversation," she says. "I think there was a collective shock value that that's the level of exposure a breach will get you."
Be the first to comment on this post using the section below.