|
The Ripple Effects of HHS Proposed Requirements
for Accounting of Disclosures
July 12, 2011
Patient Data Stewardship in the New
World of ACOs
May 17, 2011
Putting HIPAA Medical Privacy and Security Enforcement in Perspective
March 25, 2011
In Harms Way: Approaches to Harm Assessments under
the HITECH Act
Dec. 1, 2010
Managing the Consolidated Responsibilities
Under
Meaningful Use and HIPAA
Sept. 14, 2010
The Nuts & Bolts of Insurance &
Covering
The Costs of Health Data Breaches
Aug.
3, 2010
Breach
Notification in the Real World: Lesson Learned So Far
May 18, 2010
Practical Approaches to BA Contracts
April 29, 2010
Best Practices & New Issues in Data De-Identification for Healthcare & EHRs
Dec.1, 2009
The New Patient Privacy Challenge: Where Breach Notification, HIPAA & HR Meet
Nov. 12, 2009
Visit our
Education Page
for a complete list of seminars
|
20 Incidents Account for
79% of Breached Patient Records Publicized by OCR |
Melamedia, LLC now offers workforce training on patient data
stewardship
(Live & e-Learning)
For more information, contact Dennis Melamed
Subscribe to
HIPAA
& Breach Enforcement Statistics for Free

|
|
|
Reasons
for
BA
Breaches
As
of
Jan.
17,
2012 |
|
# of
Breaches |
Cause of Breach
|
|
29 |
Theft |
|
26 |
Unauthorized
Access/Disclosure |
|
18 |
Loss |
|
4 |
Hacking/IT Incident |
|
3 |
Unauthorized
Access/Disclosure &
Hacking/IT Incident |
|
2 |
Improper Disposal |
|
Source: HHS Office for
Civil Rights |
Breaches involving more than 500
patients reached 385 affecting 19,016,807 individuals, according
to an analysis by Health Information Privacy/Security Alert
of OCR statistics from Dec. 17 through Jan. 17.
That represented an increase of five
reported breaches affecting an additional 956,976. In the
previous month (Nov. 17 – Dec. 17). OCR reported 16 new breaches
affecting 94,762 individuals.
The month-to-month differences reflect
the wide range and effect of the reported breaches.
The analysis found that 303 (79%)
of the reported breaches affected under 10,000 patients for a
total of 1,577,767 or 3.9% of the total number of patients.
Twenty breaches accounted for the vast
majority of affected patients (16,694,299).
The statistics do not include the tens
of thousands of self-reported breaches affecting fewer than 500
patients that suffer from many of the same issues as the larger
breaches.
Paper records continue to be the most
frequent source of patient information, accounting for the sole
location of a breach for at least 91 incidents affecting
494,363. Paper records were involved in six other breaches as
well.
Laptops were the sole location for 78
breaches affecting 1,751,631 patients. Laptops were involved in
an additional 13 incidents.
The loss or theft of backup tapes
represented the single source of the most affected patients
(5,969,483).
Physical security – not electronic
hacking – was far and away the leading reason for a breach.
Theft alone accounted for 187 breaches affecting 7,623,538; the
loss of patient data was the sole reason for 50 breaches
affecting 7,239,015 patients.
Electronic attacks were the sole
reason for 22 incidents affecting 546,223 patients.
From a strictly HIPAA privacy
perspective, 67 violations were solely attributable to
unauthorized access/disclosure and affected 636,748 patients.
Business Associates accounted for 84 breaches
with theft (29), unauthorized access (26) and loss (18)
accounting for most of the breaches.
The full analysis of the health
data breaches is available in Health Information
Privacy/Security Alert. Take advantage of a special offer
for a one-year
e-subscription to Health Information
Privacy/Security Alert. click here.
|
|
|
|
Privacy Complaints Remain High in December |
|
|
|
|
The HHS Office for Civil Rights (OCR)
reported it received more than 66,736 complaints, suggesting that it
received 821 complaints in December. It received 874 complaints in
November and 915 in October.
The overall level of complaints in the
800-plus range in the last few months suggest that OCR may be
consistently receiving complaints at a higher level per month than
in previous years. The increase in complaints could be the result of
more alerts by covered entities to their patients that breaches have
occurred. Nothing stops a patient from filing a complaint upon being
informed of a breach by a covered entity.
Of the 23,070 HIPAA complaints that fell
within OCR’s jurisdiction, 15,176 required corrective actions by
covered entities (CEs).
An analysis by HIP/SA found that
the agency determined that an additional 251 HIPAA complaints
required actions by covered entities in December. In November, 157
covered entities had to make changes and 241 covered entities made
changes in October.
The remaining 7,725 complaints within
OCR’s jurisdiction found no violation.
The agency said it had resolved more than
91% of all the complaints it had received. However, that statistic
included a large number of complaints (37,275) that did not fall
within HHS’s jurisdiction.
Overall, about 23% of total complaints
resulted in some corrective action by CEs.
The statistics do not reflect
investigations that OCR initiated on its own in response to the tens
of thousands of smaller incidents reported by CEs under the HITECH
breach notification rules.
OCR referred more than 499 cases to the
Justice Department for possible criminal prosecution. That suggested
the agency made no referrals in December.
The Justice Department has not calculated
how many of the referrals have resulted in action or how many had
been returned to OCR. It told a Senate panel in November that it
would start work on specifically tracking how many of these
referrals were pursued.
However, in recent months, the Justice Department has shown more
interest in using HIPAA as a criminal enforcement tool as the FBI
and federal prosecutors become more comfortable with the law –
particularly after the HITECH Act clarified that the criminal
penalties do apply to individuals and not only to covered entities.
The privacy areas investigated most often were:
-
Impermissible uses and disclosures of protected health information (PHI);
-
Lack of safeguards of PHI;
-
Lack of patient access to their PHI;
-
Uses or disclosures of more than the Minimum Necessary PHI; and
-
Complaints to the covered entity.
The most common types of covered entities that had to take corrective action to get into compliance were:
-
Private Practices;
-
General Hospitals;
-
Outpatient Facilities;
-
Health Plans; and
-
Pharmacies.
|
|
| |
|
|
Special Subscription Offer from
Health Information Privacy/Security Alert
Save 50% & Get Any One of Our
Webinars on CD for Free
Get Additional Webinars for only $69 each.
Limited Time Offer
Download
the Order Form
visit Melamedia's
Education Page
for a Complete List
of Eligible Webinars |
|
| |
|
|
|
|
| PRIVACY |
HIPAA Complaints Lodged with OCR
Through
Dec. 31, 2011*
|
|
Month
|
Monthly
|
Running Total*
|
Cases Under OCR Jurisdiction
|
Cases Requiring CE
Action
|
Cases Requiring No CE Action
|
% Required CE Action of Total Lodged Complaints
|
Cases Referrals to DoJ
|
Running Total for DoJ*
|
|
2009
|
|
September
|
653 |
46,973 |
13,998 |
9,318 |
4,680 |
19% |
0 |
464 |
|
October |
659 |
47,632 |
14,303 |
9,601 |
4,802 |
20% |
0 |
464 |
|
November |
591 |
48,223 |
14,588 |
9,656 |
4,922 |
20% |
2 |
466 |
|
December |
545 |
48,768 |
14,901 |
9,854 |
5,047 |
20% |
1 |
467 |
|
2010
|
|
January
|
850 |
49,588 |
15,241 |
10,050 |
5.191 |
20% |
2 |
469 |
|
February
|
622 |
50,210 |
15,485 |
10,206 |
5.279 |
20% |
1 |
470 |
|
March
|
779 |
50,989 |
15,977 |
10,515 |
5,462 |
21% |
0 |
470 |
|
April
|
773 |
51,762 |
16,343 |
10,749 |
5,594 |
21% |
0 |
470 |
|
May
|
652 |
52,414 |
16,343 |
10,956 |
5,694 |
21% |
1 |
471 |
|
June
|
1,376 |
53,138 |
16,971 |
11,171 |
5,800 |
21% |
0 |
471 |
|
July
|
651 |
53,789 |
17,381 |
11,421 |
5,960 |
21% |
3 |
474 |
|
August
|
731 |
54,562 |
17,750 |
11,632 |
6,118 |
21% |
1 |
475 |
|
September
|
778 |
55,350 |
18,286 |
11,979 |
6,307 |
21.6% |
3 |
478 |
October |
773 |
56,119 |
18,581 |
12,161 |
6,420 |
21.7% |
4 |
482 |
November |
635 |
56,754 |
18,836 |
12,336 |
6,500 |
21.7% |
1 |
483 |
December |
621 |
57,375 |
19,161 |
12,573 |
6,588 |
22% |
0 |
483 |
|
2011
|
|
January
|
774 |
58,119 |
19,460 |
12,781 |
6,679 |
22% |
1 |
484 |
|
February
|
792 |
58,911 |
19,787 |
13,003 |
6,784 |
22% |
3 |
487 |
|
March
|
834 |
59,745 |
20,200 |
13,294 |
6,906 |
22% |
4 |
491 |
|
April
|
805 |
60,550 |
20,200 |
13,503 |
7,022 |
22% |
1 |
492 |
|
May |
783 |
61,333 |
20,877 |
13,745 |
7.132 |
22% |
1 |
493 |
|
June |
783 |
62,039 |
21,214 |
13,972 |
7.132 |
23% |
0 |
493 |
|
July |
706 |
62,708 |
21,430 |
14,105 |
7.325 |
23% |
1 |
494 |
|
August |
735 |
63,443 |
21,749 |
14,309 |
7.440 |
23% |
0 |
494 |
|
September |
683 |
64,126 |
22,075 |
14,527 |
7.548 |
23% |
1 |
495 |
|
October |
915 |
65,041 |
22,407 |
14,768 |
7.639 |
23% |
3 |
498 |
|
November |
874 |
65,915 |
22,650 |
14,925 |
7.725 |
23% |
1 |
499 |
December |
821 |
66,736 |
23,070 |
15,176 |
7,894 |
22% |
0 |
499 |
|
* Since
April 2003/Source: HHS Office for Civil Rights
·
Please credit
Health Information Privacy/Security Alert
if you cite any of these statistics.
|
|
|
|
|
|
OCR Security Stats
OCR said it received 514 complaints
alleging a security rule violation since Oct. 1, 2009. That
suggested it received 17 in December. It received seven in November
and nine in October. OCR closed a total of 323 complaints after
investigation and appropriate corrective action. That suggested that
OCR closed 64 cases in December – a very high number. It closed 14
in November and nine in October.
OCR also reported that it had 266 open
complaints and compliance reviews down from 303 in November. |
|
|
|
|
|
|
|
CMS Transaction Complaint Statistics
|
TRANSACTION STANDARD COMPLAINTS |
HIPAA Complaints Received by CMS
Through Dec. 31, 2011
|
| Complaint Type |
Total |
Open |
Closed |
| Transaction and Code Sets |
748 |
16 |
732 |
| National Provide Identifier |
59 |
0 |
59 |
| Total |
807 |
16 |
791 |
| No Civil Penalties Imposed |
|
Open –Outstanding
issues remain. Entity may be under a corrective action plan or
additional information from either the complainant, the filed
against entity, or both is being sought.
Closed–No further action required. All issues have been
sufficiently resolved. |
| Source: CMS |
|
|
| |
|
|