The year isn't over quite yet, but 2010 has already logged a remarkable number of privacy breaches. As of November 30, the Office for Civil Rights of the U.S. Department of Health and Human Services had received reports of 197 health insurance companies, health care providers and health data clearinghouses failing to protect individually identifiable health information as required under HIPAA and HITECH regulations. Nearly half of those reports have been made since July.
The two laws were designed to protect an individual's control over who may look at and receive private health information. The information can be in written or electronic form, as well as spoken. The security provisions require health insurance companies, doctors and other covered entities to put safeguards in place to protect the integrity, confidentiality and availability of that data. The security rule, however, applies only to individually identifiable health information that an entity creates, receives, transmits or maintains. This data set is called electronic protected health information, or e-PHI.
OCR is required to publish a list of any breach of e-PHI involving 500 or more individuals. In the first five months the list was available on the OCR website, reports averaged about 15 per month. Since July, the average has jumped to 18 per month. The largest single breach was reported by Florida's AvMed Health Plan. That breach, discussed in our last post, affected 1.22 million individuals.
As in the AvMed breach, a stolen laptop is the most frequent location of breached information on the OCR list, accounting for 55, or 27.9 percent, of the 197 reports. Paper records came in second, with 41 reports (about 21 percent). Desktop computers were third (32 reports, or 16 percent), and portable electronic devices (29 reports, or almost 18 percent) fourth.
Only one report came close to AvMed's. Blue Cross Blue Shield of Tennessee reported a theft of hard drives in October 2009. In that case, 1.02 million individuals were affected.
If there is a lesson in all of this for consumers, it is to read your medical provider and health insurance privacy policies carefully, to know your rights and to file a complaint if you believe your rights have been violated.
Health Leaders Media "OCR: Data Breaches Double Since July" 12/02/10
US Department of Health and Human Services, Office for Civil Rights, Health Information Privacy website