|
Seminars
On CD
The Nuts & Bolts of Insurance &
Covering
The Costs of Health Data Breaches
Aug.
3, 2010
Responding to Key
Issues
in
OCR's
Proposed HITECH
Regulations
July 22, 2010
Breach
Notification in the Real World: Lesson Learned So Far
May 18, 2010
Practical Approaches to BA Contracts
April 29, 2010
6th Annual Yearend Review of Medical Privacy and Security Enforcement
Dec. 16, 2009
Best Practices & New Issues in Data De-Identification for Healthcare & EHRs
Dec.1, 2009
The New Patient Privacy Challenge: Where Breach Notification, HIPAA & HR Meet
Nov. 12, 2009
Meeting the New Health Data Breach Notification Requirements
Sept. 24, 2009
Visit our Education Page
to see a complete list of seminars
|
Physical Security Issues Cause Most BA Breaches |
Special
Subscription Offer from
Health
Information Privacy/Security Alert
50% professional Discount
($258 value)
Select one of our Seminars on CD for free ($289 value)
(new subscribers only)
Subscribe to
HIPAA
& Breach Enforcement Statistics for Free
|
|
Types of Breaches
By Business Associate
Based on HHS data of Aug. 19, 2010 |
|
#of BA
Breaches |
Type of Breach |
Records Affected |
|
9 |
Other |
132,085 |
|
8 |
Theft |
319,252 |
|
6 |
Loss |
983,959 |
|
4 |
Unauthorized
Access |
1,969 |
|
1 |
Hacking/IT
Incident |
2,000 |
|
Total |
1,439,265 |
HIPAA Business Associates accounted for
about 20% of health data breaches affecting more than 500 patients,
according to a HIP//SA analysis of HHS statistics as of Aug. 19,
2010. Of the 133 total breaches, 28 were related to Business
Associates.
Of the 4,764,891 patient records that have
been breached, Business Associates accounted for about approximately
1.4 million or 30% of all records.
This number and the percentage are likely
to rise because of the proposed HIPAA revisions that expand the
range of contractors that will be covered under the breach
notification provisions. Privacy and security officers also should
note that the statistics do not include breaches under 500 records
that must be reported at the end of the year. It is far from clear
how many Business Associates will be reporting on themselves at that
time, in part, because of confusion among some contractors over who
is ultimately covered by HIPAA under the HITECH amendments.
Paper records were the most frequently
specified media for BA breaches. However, theft of laptops and
portable electronic devices were by far the most damaging.
To take advantage of a special offer
for a one-year
e-subscription to
Health Information
Privacy/Security Alert. ,
click here. |
HIPAA Privacy Double in June |
|
The HHS Office for Civil Rights (OCR)
reported that it received 651 complaints in its HIPAA privacy
enforcement program in July for a total of 53,789 since enforcement
began in April 2003.
That was half the number it received in
June when it received 1,376. In May, it received 652.
The large swing in the number of
privacy complaints in June may have been due to the processing of
the first annual batch of breach reports affecting less than 500
patients by covered entities.
Of the 17,381 complaints that have
fallen within OCR’s jurisdiction, 11,421 required corrective actions
by a covered entity (CE).
In other words, the agency reported
that it determined that in July 250 addition complaints fell within
its jurisdiction and required CE action. In June, it added 321
complaints; in May, it added 207.
Overall, about 21.2% of complaints
resulted in some corrective action by a CE. The remaining 5,960
complaints did not uncover a HIPAA violation.
About 34% of the agency investigations
did not uncover a HIPAA privacy violation.
The agency also revealed that it had
resolved more than 90% of all the complaints it had received.
However, that number included the large
number of complaints not within HHS’s jurisdiction.
After more than six years, HHS has not
yet imposed a civil monetary penalty. HHS pointedly did not impose
civil monetary penalties in its agreements with Providence Health or
with CVS Caremark (08/08 HIP/SA, p.1; 02/09 HIP/SA,
p.1) or with Rite Aid (see story, p. 8)
It referred more than 474 cases to the
Justice Department for possible criminal prosecution. That suggested
the agency made three referrals in July.
Referrals to the Justice Department do
not necessarily mean that a criminal investigation will be
initiated. Instead, it meant that OCR determined that these cases
deserved assessment by federal prosecutors.
To date, there has been little evidence
suggesting that HIPAA complaints to OCR have prompted any criminal
prosecutions by the Justice Department.
Typically, the Justice Department has invoked HIPAA charges only
after it had already sought the prosecution of an individual under
other federal laws.
Typically, the Justice Department has invoked HIPAA charges only
after it had already sought the prosecution of an individual under
other laws.
The privacy issues investigated most often were:
- Impermissible uses and disclosures of
protected health information (PHI);
- Lack of safeguards of PHI;
- Lack of patient access to their PHI;
- Uses or disclosures of more than the Minimum
Necessary PHI; and
- Complaints to the covered entity.
The most common types of covered entities that had to take
corrective action to get into compliance were:
- Private Practices;
- General Hospitals;
- Outpatient Facilities;
- Health Plans; and
- Pharmacies.
|
|
| PRIVACY |
HIPAA Complaints Lodged with OCR
Through
June 30, 2010*
|
|
Month
|
Monthly
|
Running Total*
|
Cases Under OCR Jurisdiction
|
Cases Requiring CE
Action
|
Cases Requiring No CE Action
|
% Required CE Action of Total Lodged Complaints
|
Cases Referrals to DoJ
|
Running Total for DoJ*
|
|
2007
|
| July |
880 |
29,276 |
7,380 |
4,952 |
2,428 |
17% |
3 |
410 |
| August |
718 |
29,994 |
7,550 |
5,066 |
2,484 |
17% |
1 |
411 |
| September |
608 |
30,602 |
7,668 |
5,149 |
2,519 |
17% |
1 |
412 |
| October |
592 |
31,194 |
7,882 |
5,299 |
2,583 |
17% |
3 |
415 |
| November |
762 |
31,956 |
8,030 |
5,397 |
2,633 |
17% |
3 |
418 |
| December |
531 |
32,487 |
8,199 |
5,509 |
2,690 |
17% |
1 |
419 |
|
2008
|
|
January
|
790 |
33,277 |
8,405 |
5,653 |
2,752 |
17% |
0 |
419 |
|
February
|
639 |
33,916 |
8,613 |
5,775 |
2,838 |
17% |
3 |
422 |
| March |
855 |
34,771 |
8,923 |
5,971 |
2,952 |
17% |
4 |
426 |
| April |
759 |
35,530 |
9,219 |
6,159 |
3.060 |
17% |
5 |
431 |
| May |
844 |
36,374 |
9,548 |
6,392 |
3.156 |
18% |
4 |
435 |
|
June |
849 |
37,223 |
9,938 |
6,648 |
3,290 |
18% |
1 |
436 |
|
July |
981 |
38,204 |
10,203 |
6,811 |
3,392 |
18% |
1 |
437 |
|
August |
608 |
38,812 |
10,452 |
6,985 |
3,467 |
18% |
1 |
438 |
|
September |
780 |
39,592 |
10,851 |
7,227 |
3,624 |
18.3% |
1 |
439 |
|
October |
656 |
40,248 |
11,139 |
7,429 |
3,710 |
18.5% |
0 |
439 |
|
November |
421 |
40,669 |
11,355 |
7,570 |
3,785 |
18.6% |
4 |
443 |
|
December |
438 |
41,107 |
11,587 |
7,729 |
3,858 |
19% |
5 |
448 |
|
2009
|
|
January
|
700 |
41,807 |
11,791 |
7,861 |
3,930 |
19% |
3 |
451 |
|
February
|
581 |
42,388 |
11,992 |
7,992 |
4,000 |
19% |
2 |
453 |
|
March |
664 |
43,052 |
12,314 |
8,212 |
4,102 |
19% |
1 |
454 |
|
April |
639 |
43,691 |
12,586 |
8,402 |
4,184 |
19% |
2 |
456 |
|
May
|
545 |
44,236 |
12,837 |
8,571 |
4,226 |
19% |
1 |
457 |
|
June
|
675 |
44,911 |
13,125 |
8,756 |
4,369 |
19% |
2 |
459 |
|
July
|
719 |
45,630 |
13,364 |
8,918 |
4,446 |
19% |
1 |
460 |
|
August
|
690 |
46,320 |
13,646 |
9,095 |
4,551 |
19% |
4 |
464 |
|
September
|
653 |
46,973 |
13,998 |
9,318 |
4,680 |
19% |
0 |
464 |
|
October |
659 |
47,632 |
14,303 |
9,601 |
4,802 |
20% |
0 |
464 |
|
November |
591 |
48,223 |
14,588 |
9,656 |
4,922 |
20% |
2 |
466 |
|
December |
545 |
48,768 |
14,901 |
9,854 |
5,047 |
20% |
1 |
467 |
|
2010
|
|
January
|
850 |
49,588 |
15,241 |
107,050 |
5.191 |
20% |
2 |
469 |
|
February
|
622 |
50,210 |
15,485 |
10,206 |
5.279 |
20% |
1 |
470 |
|
March
|
779 |
50,989 |
15,977 |
10,515 |
5,462 |
21% |
0 |
470 |
|
April
|
773 |
51,762 |
16,343 |
10,749 |
5,594 |
21% |
0 |
470 |
|
May
|
773 |
51,762 |
16,343 |
10,749 |
5,594 |
21% |
0 |
470 |
|
June
|
1,376 |
53,138 |
16,971 |
11,171 |
5,800 |
21% |
1 |
471 |
|
July
|
,651 |
53,789 |
17,381 |
11,421 |
5,960 |
21% |
3 |
474 |
|
* Since April 2003/Source:
HHS Office for Civil Rights
· Please credit Health Information Privacy/Security Alert if you cite any of these statistics.
|
|
|
|
OCR Security Stats
OCR said it received 145 complaints
alleging a security rule violation since Oct. 1, 2009. That
suggested it received 12 complaints in June. It received 12 in June
and 23 in May.
During
this period, it closed 50 complaints after investigation and
appropriate corrective action. That indicated that OCR closed no
cases in July. It closed 10 cases in June and no cases in May. |
|
|
TRANSACTION STANDARD COMPLAINTS |
HIPAA Complaints Received by CMS
Through June 30, 2010
|
| Complaint Type |
Total |
Open |
Closed |
| Transaction and Code Sets |
665 |
27 |
638 |
| National Provide Identifier |
47 |
1 |
46 |
| Total |
712 |
28 |
684 |
| No Civil Penalties Imposed |
|
Open –Outstanding
issues remain. Entity may be under a corrective action plan or
additional information from either the complainant, the filed
against entity, or both is being sought.
Closed–No further action required. All issues have been
sufficiently resolved. |
| Source: CMS |
|
|