HHS Posts Data Breach Notifications
The Office for Civil Rights in the Department of Health and Human Services has launched a Web page listing covered entities that have reported breaches of unsecured protected health information affecting more than 500 individuals.
The posting is mandated under the HITECH Act, and comes as the grace period for enforcement of the data breach notification rules has passed. Breach notification rules from HHS and the Federal Trade Commission (covering personal health records vendors) have been in effect since late September. Officials at both agencies used enforcement discretion to not impose sanctions for failure to report breaches until Feb. 22.
Under the HHS breach notification rule, notification within 60 days to HHS and the media is required when a breach affects more than 500 individuals. Smaller breaches must be annually reported to HHS. Business associates of HIPAA-covered entities must notify the affected covered entity of breaches.
The new Web page launched with a list of 47 reported breaches, ranging from 501 affected individuals at the Alaska Department of Health and Social Services to 500,000 at BlueCross BlueShield of Tennessee. The list is available at hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html.