On February 22, 2010, the Department of Health and Human Services (HHS) Office for Civil Rights posted a list of reports of breaches of unsecured protected health information (PHI) affecting 500 or more individuals.

The list includes thirty-six (36) breaches, affecting between 501 and 500,000 individuals. Twentyseven (27) of the breaches resulted from thefts of paper or electronic records. Other breaches were described as “Hacking/IT Incident,” “Loss,” “Incorrect Mailing,” “Unauthorized Access,” “Misdirected Email,” and “Phishing Scam.” The breach affecting the largest number of individuals was reported by Blue Cross Blue Shield of Tennessee. There, a theft of hard drives resulted in breaches of unsecured PHI affecting half a million individuals.

A wide array of covered entities is represented on the list. They include a state Medicaid agency, children’s hospitals, a Medicare managed care organization, and various unidentified “Private Practices.” The list also indicates that several business associates, including marketing firms and computer services firms, were involved in the breaches.

The HI-TECH Act requires covered entities to report breaches affecting 500 or more individuals to HHS within 60 days of discovery of the breach and requires that HHS post on its website a list of these reported breaches.

As a reminder, the HI-TECH Act also requires covered entities to file with HHS annual reports of breaches affecting fewer than 500 people by March 1. Every covered entity must report all breaches occurring on or after September 23,2009, by March 1, 2010. Breaches are reported via the HHS website, which includes instructions and information for making reports.

More information about HIPAA, the HI-TECH Act provisions of the American Recovery and Reinvestment Act, and the notice of breach rules is available on our HIPAA Resource Page. Bricker & Eckler and QMCG have also developed a HIPAA Compliance Program, available for subscription, which provides all of the forms, policies and tools a health care provider or a health plan needs to comply with the HI-TECH Act changes to HIPAA, including templates for business associate agreements and amendments, and a sample breach policy, sample notice letters and other useful tools. More information about the HIPAA Compliance Program can be found at http://www.bricker.com/hipaa/guide.aspx.