As indicated in a July 8, 2010 press briefing, the Office of Civil Rights (OCR) of the United States Department of Health & Human Services (HHS) has updated its HIPAA breach notification webpage. This is the webpage where OCR is posting breaches of unsecured Protected Health Information (PHI) affecting 500 or more individuals. The format includes brief summaries of the incidents reported to the HHS Secretary that OCR has investigated and closed. The format also allows users to search and sort the posted breaches by entity, state, date, number of individuals affected, type of breach, and location of breached information. There are currently 107 breach notifications posted, all occurring since September 9, 2009. The breaches reported thus far indicate that theft ranks #1 as the type of activity leading to a breach. A quick run-down of the stats reflect the following:
Article Summary: The Federal Trade Commission’s Red Flags Rule for identity theft applies to most health care providers according to the FTC’s current guidance. The FTC makes a clear attempt under the Rule to regulate medical identity theft, as opposed to credit identity theft. The result is that the FTC will have regulatory authority in an area that the Department of Health & Human Services, since the issuance of the Red Flags Rule in late 2007, has seen fit to strengthen under the HITECH Act of 2009, through both enhanced security protections and breach notification requirements. Further, the HITECH Act put into motion aggressive health information technology reform that also will likely address medical identity theft. Do we really need another federal agency regulating the privacy and security protections that health care providers provide for medical records? This article summarizes the key components of the Red Flags Rule that will draw most health care providers into its reach and discusses how current health care reforms may impact favorably on preventing medical identity theft.