Question: I understand that the Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) recently issued its “Annual Report to Congress on Breaches of Unsecured Protected Health Information.”  This report “describes the types and numbers of breaches that occurred between September 23, 2009 (the date the breach notification requirements became effective), and December 31, 2010” and “describes actions that have been taken by covered entities in response to the reported breaches.”  What was the magnitude of those breaches and how did most occur?

Answer: Please hang on to your HIPAA hat because the OCR reported that, during those 15 months, there had been approximately 250 breaches affecting more than 7.8 million people!

This annual report to Congress is mandated by the Health Information Technology for Economic and Clinical Health Act (“HITECH”).  Enacted in 2009, HITECH made significant changes to the HIPAA Privacy and Security Rules. One of the most important changes was the requirement that hospitals notify patients of a “breach” of their “unsecured” protected health information (“PHI”).  If the breach affected more than 500 patients, HHS must be notified of the breach at the same time that individuals affected by it are notified.  Breaches that involve 500 or more individuals are publicly posted on the OCR’s website.

Theft of PHI accounted for the majority of breaches. The largest reported theft affected approximately 1.9 million people.  Back-up tapes which contained electronic medical records were stolen as they were being transported by a vendor from the covered entity to the vendor’s site.  Thefts of laptops, desk top computers, smart phones and flash drives accounted for 67 of the 250 incidents reported.

The second category of large breaches (in terms of the number of incidents and the number of people affected) involved the loss of electronic media or paper records.