HHS reports a significant number of PHI breaches by HIPAA covered entities

The U.S. Department of Health and Human Services (HHS) states that post the coming into effect of the new federal breach notification requirement in September 2009, large breaches of patients’ health information have been reported by more than 30 HIPAA covered entities. The breach notification requirement, enacted in the American Recovery and Reinvestment Act of 2009, requires Health Insurance Portability and Accountability Act of 1996 (HIPAA) covered entities to notify individuals whose protected health information may have been improperly accessed, used or disclosed. If the incident affects 500 or more patients, the covered entities also are required to notify HHS and the media. HHS must post the names of entities that report large breaches on its Web site.

Among these breaches, the most significant breach was reported by Blue Cross Blue Shield of Tennessee which affected about 5,00,000 persons and attributed to stolen hard drives. More than half of the 36 reported large breaches involved theft, loss or unauthorized access of computers or laptops. Several others occurred in portable electronic devices. Only a few of the reported breaches involved paper records. Approximately 300 reports of smaller breach incidents, typically involving paper records, were received by HHS.

HHS posted its list on the Web site on Feb. 22 which stated the causes of the 36 breaches as:
• theft (22);
• theft and unauthorized access (five);
• loss (three);
• incorrect mailing/e-mail (two);
• unauthorized access (two);
• hacking (one); and
• phishing scam (one).