In this article, I posted about the U.S. Department of Health & Human Services’ (HHS) HITECH breach website.  The website list all privacy breaches affecting 500 or more individuals.  I recently went to the website to take another look at the amount of breaches.  I was interested in the total number of individuals that have been affected due to privacy breaches.   I exported the information into Microsoft Excel and added up each of the individual privacy breaches to come up with a shocking 3,459,108 individuals that have been affected.

It should be noted that most of the breaches were due to electronic data security issues but some also involved improper disposal of paper records and theft of paper records.

As I mentioned in this post – we are seeing a lot of security breaches even before the majority of health organizations make the switch from paper records to EHR.  In order for HITECH to succeed, we need a strong emphasis on patient security right now!

According to a press release from the U.S. Department of Health and Human Services (HHS), several states will benefit from addition stimulus fund.  The funds are to help setup health information exchanges (HIE).

The health information exchange HIE awards announced today provide approximately $162 million to 16 states and qualified state designated entities (SDEs) to facilitate non-proprietary health information exchange that adheres to national standards.  Health information exchange is critical to enabling care coordination and improving the quality and efficiency of health care.  

“Today’s announcement of awards to 16 states and SDEs marks a significant milestone with all states now empowered to start their journey towards identifying innovative ways to break down theses barriers that prevent the seamless exchange of information, so that we can give patients the access to care they deserve and expect,” stated Dr. David Blumenthal, national coordinator for health information technology.  “States play a critical leadership role in advancing the development of the exchange capacity of healthcare providers and hospitals within their states and across the nation. Health information exchange will enable eligible healthcare providers to be deemed meaningful users of health IT and receive incentive payments under the Medicare and Medicaid electronic health record (EHR) incentive program.”

New Jersey is set to receive $11.4 million and Connecticut will receive $7.2 million.

The states receiving funds from the $162 million awards include:

State/SDE	Award Amount
Agency of Health Care Administration (FL)	$20,738,582
The Maryland Department of Health and Mental Hygiene	$9,313,924
New Jersey Health Care Facilities Financing Authority	$11,408,594
South Carolina Department of Health & Human Services	$9,576,408
Iowa Department of Public Health	$8,375,000
Idaho Health Data Exchange	$5,940,500
State of North Dakota, Information Technology Department	$5,343,733
State of Alaska	$4,963,063
Nebraska Department of Administrative Services	$6,837,180
South Dakota Department of Health	$6,081,750
Department of Public Health, State of CT	$7,297,930
State of Mississippi	$10,387,000
Indiana Health Information Technology, Inc.	$10,300,000
HealthShare Montana	$5,767,926
Texas Health and Human Services Commission	$28,810,208
Louisiana Health Care Quality Forum	$10,583,000
Total	$161,724,798

In the age of the Internet and search engines, you want to get your practice noticed on the web.  But there is one place that you don’t ever want to see your practice’s name and that is the U.S. Department of Health & Human Services’ (HHS) HITECH breach website. 

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html

The site is for HIPAA / HITECH violations affecting 500 or more individuals.

Breaches Affecting 500 or More Individuals

As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals. The following breaches have been reported to the Secretary.

The list contains:

• the name of the entity (organization, corporation, practice, clinic, etc.)
• the state where the entity is located
• the approximate number of individuals affected
• the date of the breach
• the type of breach (theft, loss, unauthorized access, hacking/IT incident, incorrect mailing, misdirected e-mail, phishing scam, etc.)
• the location of breached information (i.e. laptop, hard drive, mailing, e-mail, etc.)

I mentioned in this post about Blue Cross Blue Shield of Tennessee having 57 hard drives stolen from a training center.  Each of the hard drives contained personal information about subscribers.  In conjunction with the data breach, they are now listed on the HHS breach website.

Blue Cross Blue Shield of Tennessee
State:	Tennessee
Approx. # of Individuals Affected:	500,000
Date of Breach:	10/02/09
Type of Breach:	Theft
Location of Breached Information:	Hard Drives

Let’s take a step back and look at the other breach notification requirements to comply with the HITECH Act.  The HHS website states that a covered entity must do the following in the event of a breach of unsecured protected health information:

Breach Notification Requirements

Following a breach of unsecured protected health information covered entities must provide notification of the breach to affected individuals, the Secretary, and, in certain circumstances, to the media.  In addition, business associates must notify covered entities that a breach has occurred.

• Individual Notice

Covered entities must notify affected individuals following the discovery of a breach of unsecured protected health information.  Covered entities must provide this individual notice in written form by first-class mail, or alternatively, by e-mail if the affected individual has agreed to receive such notices electronically.  If the covered entity has insufficient or out-of-date contact information for 10 or more individuals, the covered entity must provide substitute individual notice by either posting the notice on the home page of its web site or by providing the notice in major print or broadcast media where the affected individuals likely reside.  If the covered entity has insufficient or out-of-date contact information for fewer than 10 individuals, the covered entity may provide substitute notice by an alternative form of written, telephone, or other means.   

These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible, a description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity.  Additionally, for substitute notice provided via web posting or major print or broadcast media, the notification must include a toll-free number for individuals to contact the covered entity to determine if their protected health information was involved in the breach.

• Media Notice

Covered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction.  Covered entities will likely provide this notification in the form of a press release to appropriate media outlets serving the affected area.  Like individual notice, this media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include the same information required for the individual notice.

• Notice to the Secretary

In addition to notifying affected individuals and the media (where appropriate), covered entities must notify the Secretary of breaches of unsecured protected health information.  Covered entities will notify the Secretary by visiting the HHS web site and filling out and electronically submitting a breach report form.  If a breach affects 500 or more individuals, covered entities must notify the Secretary without unreasonable delay and in no case later than 60 days following a breach.  If, however, a breach affects fewer than 500 individuals, the covered entity may notify the Secretary of such breaches on an annual basis.  Reports of breaches affecting fewer than 500 individuals are due to the Secretary no later than 60 days after the end of the calendar year in which the breaches occurred.

• Notification by a Business Associate

If a breach of unsecured protected health information occurs at or by a business associate, the business associate must notify the covered entity following the discovery of the breach.  A business associate must provide notice to the covered entity without unreasonable delay and no later than 60 days from the discovery of the breach.  To the extent possible, the business associate should provide the covered entity with the identification of each individual affected by the breach as well as any information required to be provided by the covered entity in its notification to affected individuals.

 As you can see, the HITECH Act has put some stiff requirements into breach notifications concerning unsecured protected health information.  My advice is to make sure your HIPAA policies and procedures are up to date,  your staff is trained and you do everything possible to avoid a data breach.  You don’t want to end up on the HHS “wall of shame”.