The requirements under the HIPAA/HITECH statutes and regulations for public disclosure of breaches of Protected Health Information (“PHI”) have brought to light an increasing volume of breaches of PHI involving highly respected and sophisticated providers and insurers. On November 21, 2010, a posting on this blog discussed a PHI security breach (the “September 2010 Breach”) involving Henry Ford Health System in Michigan (“Henry Ford” or the “health system”) that was discovered by the health system on September 24, 2010. A follow-up posting in this series on November 24, 2010 reported that 3,700 individuals had been affected in the September 2010 Breach.
On February 25, 2011, Robin Erb, Medical Writer at the Detroit Free Press, wrote an article entitled, “Lost Device Compromises Medical Information of 2,777 Patients” relative to another security lapse in less than a year within Henry Ford (the “January 2011 Breach”). According to Ms. Erb, an employee of the health system lost a flash drive with information on 2,777 patients on January 31, 2011.
As Ms. Erb reported,
Hospital officials said it's unclear how the flash drive was lost. The device is not encrypted, as required to protect individual patients' information, officials said.
The information involved patients tested for urinary tract infections between July and October 2010 and included names, medical record numbers, test information and results.
While the first blog posting in this series about the November 2010 Breach gave a link to the Henry Ford posting of on its Web site about the security breach, that posting and link have apparently been already taken down by the health system. However, more than 500 other earlier stories dating back as far as March of 2005 remain on the Henry Ford News list. A visit today to the News list on the health system’s Web site also reveals that Henry Ford has made no posting to date about the January 2011 Breach.
HIPAA/HITECH provides that the time frame for insurers and providers to give notice to affected individuals and the U.S. Department of Health and Human Services (“HHS”) of a PHI security breach involving 500 or more individuals is “without unreasonable delay and in no case later than 60 days from discovery of a breach.” The maximum time, therefore, for Henry Ford to notify the HHS about the January 2011 Breach is 60 days after the discovery date of January 31,2011 or April 1, 2011. Soon after notification by the health system to the HHS, the HHS Web site that lists breaches of unsecured PHI affecting 500 or more individuals would add the January 2011 Breach.
It is interesting that, while Ms. Erb’s article was published almost three weeks ago, nothing has apparently been published by Henry Ford about the January 2011 Breach on its Web site. Nor has the January 2011 Breach yet appeared on the HHS Web site. This matter warrants further monitoring.