Federal Breach Tally Growth SlowsOnly 7 Health Info Breaches Affecting 28,000 Added in Past Month
Only seven cases affecting about 28,000 individuals have been added to the list since April 25. By comparison, 16 cases affecting a total of more than 2.5 million were added to the list the previous month. That included 1.9 million affected by the Health Net breach, which involved hard drives missing from a data center managed by IBM (See: Health Net Breach Tops Federal List).
The Department of Health and Human Services' Office for Civil Rights adds incidents to its list as it confirms the details. It also fine-tunes the total number of individuals affected and adds information as its investigations continue.
The largest incident added to the tally in recent weeks involved the theft of a server at an orthodontics practice, which affected about 21,000 patients (see: Breach Hits an Orthodontics Practice).
Thefts and Losses DominateThe theft or loss of various computer devices, including laptops, desktop computers and servers, as well as other portable devices and media, account for 58 percent of the incidents on the Office for Civil Rights' tally. Laptops were involved in 43 percent of these thefts or losses.
At a recent conference, David Holtzman, health information privacy specialist at OCR, said: "Raising the security awareness of your workforce is your best defense against having a breach incident."
Organizations that successfully create a culture of compliance and promote good data stewardship will "be at lower risk of having a breach or having your data sitting on a laptop that's unprotected in the airport or in somebody's car while it's parked at the grocery store," Holtzman said.
Based on the breach incidents reported so far, Holtzman advised healthcare organizations to:
- Make widespread use of encryption, especially for data stored on various devices, including laptops.
- "Do not neglect physical safeguards for areas where paper records are stored and used."
- Consider reducing risk by using network or enterprise storage rather than storing protected health information on devices, such as laptop or desktop computers.
- "Create clear and well-documented administrative and physical safeguards for storage devices and removable media" that are used to store protected health information.
HITECH Act MandateOCR began posting incidents to its breach list on Feb. 22, 2010, for cases dating back to Sept. 22, 2009, when the interim final version of the HITECH Act breach notification rule took effect.
The rule requires healthcare organizations to notify those affected by breaches of any size. Major incidents, defined as those affecting 500 or more individuals, must be reported to the Office for Civil Rights within 60 days. But breaches of information that's been encrypted using a specific standard do not have to be reported.
A final version of the HITECH breach notification rule, which could further clarify exactly what types of incidents need to be reported, is expected later this year as part of an "omnibus" package of several rules (see: HITECH Mandated Regs Still in Works). The interim final version contains a controversial "harm standard," which allows organizations to conduct a risk assessment to determine if an incident represents a significant risk of harm and, thus, must be reported.
Long before a breach incident occurs, healthcare organizations must be well-prepared to carefully analyze an incident to determine if it must be reported, says Harry Rhodes, director of practice leadership at the American Health Information Management Association (see: Breach Notification: Be Prepared). "You need to have a mechanism so you're not just going on your gut reaction," Rhodes says.