Recently, the U.S. Department of Health and Human Services Office for Civil Rights presented to Congress its annual report regarding breaches of unsecured protected health information for calendar years 2009 and 2010. As required by the Health Information Technology for Economic and Clinical Health (HITECH) Act, HIPAAcovered entities are required to notify affected individuals, the Secretary of Health and Human Services (the “Secretary”), and in some cases, the media following the breach of unsecured protected health information. Annually, the Secretary is required to submit a report to Congress containing the number and nature of the breaches reported and the actions taken in response to such breaches.
For 2009, the Secretary reported that the common causes of large breaches (500 or more individuals affected) were (1) theft of paper records or electronic media (laptops desktops, hard drives, portable electronic devices), (2) intentional unauthorized access to, use, or disclosure of protected health information, (3) human error, and (4) the loss of electronic media or paper records containing protected health information. For 2009, covered entities notified approximately 5.4 million individuals that they were affected by a breach. For 2010, the Secretary reported the same four categories and added a fifth – improper disposal of paper records by the covered entity or a business associate. Theft continued to be the most common cause of large breaches, affecting over 2.9 million individuals.
With respect to the breaches in 2009 and 2010, most covered entities responded by revising policies and procedures, improving physical security by installing new security systems or relocating equipment or data to more secure areas, providing additional training to employees who handle protected health information and providing free credit monitoring services to affected individuals.