For Calendar Years 2011 and 2012
Just released, the original report is pretty long, and well, let’s face it, a little (actually, very) boring. (Here it is if you want to brave it-HHS Report) I’m going to extract a few highlights for you over the next couple of weeks because that’s what I do here at Total HIPAA… I read the stuff that you don’t want to, translate it into common everyday language, and try to make it valuable. You’re welcome, Internet friends!
On to the report.. We are going to be talking about breaches first, and no, we aren’t talking about pants, though you can lose them if you have a HIPAA violation. For those of you new to HIPAA, breaches of over 500 individuals’ PHI must be reported to HHS when you notify the individuals their PHI has been compromised, or within 30 days of discovery. Any breaches affecting under 500 individuals should be logged and submitted within 60 days of the end of the calendar year. There is an online form for you to submit breaches here, https://ocrnotifications.hhs.gov/
Ok, on first read, I’m horrified at the number of breaches that affected more that 500 people in 2011. The number is 236 reported breaches affecting approximately 11,415,185. Yes it is over 11 million, and no, I did not make this up. The Office of Civil Rights (OCR) says this year was a little out of the ordinary since there were a number of larger breaches that were reported. One for over a million, another for 2 million, and lastly one for nearly 5 million… seriously?!?! The reason these are listed as approximate is the violators weren’t really certain how many records were affected; guess you lose count after a while?
So, who was doing all this breaching? Well, it turns out that huge breach of almost 5 million people was by a business associate. The offending party was Science Applications International Corp., of McLean, Va. They reported to their client, Tricare, they had lost unencrypted backup drives, a mere 4.9 million records. If you’ve been reading my blog, you will know how I feel about encryption. Just to reiterate, EVERYTHING must be encrypted and password protected at ALL TIMES! Have a laptop? Encrypt it! Have a mobile device? Encrypt it! See a pattern here?
What I find most interesting is, when I travel around and speak about HIPAA, everyone groans when I bring up the new Common Agency provision in HIPAA. This is the part of the Omnibus ruling that says, “You are responsible for your Business Associates compliance.” Any wonder where this came from? Yeah, the Business Associates only had 27% of the reported breaches in 2011, but were responsible for 64% of the total number of people whose information was breached.
This is why I tell everyone I speak with, present to, consult with, and pass casually on the street (ok, the last one is a bit of a stretch) to audit their Business Associates before you do business with them. You want to see, Privacy and Security Policies and Procedures, any subcontractor agreements they have, Notice of Privacy Practices, and training logs. Their breaches are now your breaches, and we here are trying to keep you from losing your breeches in the process!
If you want to keep track of what were are up to here at Total HIPAA, you can follow our blog by registering over on the right, Twitter, Google+, Facebook, and/or LinkedIn. If you enjoy and read our blogs, make sure to throw us some love!
Till next week!
By: Jason Karn
Google+
