As indicated in a July 8, 2010 press briefing, the Office of Civil Rights (OCR) of the United States Department of Health & Human Services (HHS) has updated its HIPAA breach notification webpage. This is the webpage where OCR is posting breaches of unsecured Protected Health Information (PHI) affecting 500 or more individuals. The format includes brief summaries of the incidents reported to the HHS Secretary that OCR has investigated and closed. The format also allows users to search and sort the posted breaches by entity, state, date, number of individuals affected, type of breach, and location of breached information. There are currently 107 breach notifications posted, all occurring since September 9, 2009. The breaches reported thus far indicate that theft ranks #1 as the type of activity leading to a breach. A quick run-down of the stats reflect the following:
On Friday, September 18, 2009, from 8:30 am to 3:00 pm, the HHS HIT Policy Committee discussed the standards under development for the 2013 and 2015 “meaningful use” criteria related to privacy and security. The Committee’s webpage gave the following overview of the purpose of the meeting:
Protecting health data through comprehensive privacy policies and security functions are foundational requirements for appropriate management and exchange of individuals’ health data. It constitutes one of the five categories of criteria in the meaningful use criteria matrix. The HIT Policy Committee is holding an initial informational public hearing on September 18, 2009, as input to further deliberations regarding recommendations for 2013 and 2015 meaningful use criteria. Initially, the Committee is seeking testimony in four broad categories: 1) individual choice/control, data segmentation; 2) use, disclosure, secondary use, data stewardship; 3) aggregate data use, de-identification/re-identification, models for data storage; and 4) transparency, accountability, audit.
The Agenda and other materials supplied for this meeting are available on the HIT Policy Committee webpage (scroll down to Meetings and September 18, 2009). For information on how to access future meetings, go here. For more information about the HIT Policy Committee, a list of its members, and to access previous meeting transcripts and documents, visit the HIT Policy Committee webpage.
On August 17, 2009, the Federal Trade Commission (FTC) issued its final rule requiring vendors of “personal health records” to notify consumers when the security of their electronic health information is breached. On August 19, 2009, the U.S. Department of Health and Human Services (HHS) issued its interim final rule requiring health care providers, health plans, and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals when their health information is breached. These rules were issued pursuant to the Health Information Technology for Economic and Clinical Health Act (HITECH), which is part of the American Recovery and Reinvestment Act of 2009 (ARRA). HITECH required FTC and HHS to collaborate on development of the breach notification rules. The FTC’s press release and a link to its Breach Notification Rule is available here. The HHS press release and Breach Notification Rule is available here. HHS published the Breach Notification Rule in the Federal Register on August 24, 2009.