Statistics on HHS published breaches affecting 500 or more individuals per HITECH requirements, more than 1 million affected individuals
HHS publishing healthcare breaches
From September 2009 through January 2010 there were 36 breaches affecting an estimated 1,073,657 individuals reported to the HHS. Here are some statistics:Where were the breaches?
- 28% in California
- 11% in Michigan
- 11% in Texas
- 8% in DC
- 8% in Illinois
- 33% in 10 other states
How many individuals were estimated to be affected?
- 47% in Tennesee (506,400)
- 33% in Florida (349,000)
- 8% in New York (83,000)
- 4% in California (48,283)
- 7% in other states (76,974)
What were the types of breaches?
- Theft was involved with 74% of the breaches making up 90% of the number of individuals affected
- Unauthorized access was involved with 20% of the breaches making up 4% of the individuals
- The other types (Loss, Mailing, Hacking/IT Incident, Misdirected Email, Phishing) were involved with 19% of the breaches making up 9% of the individuals
Where was the information stored?
- Laptops were involved with 22% of the breaches affecting 36% of the individuals
- Desktop computers were involved with 17% of the breaches affecting 3% of the individuals
- Portable electronic devices were involved with 8% of the breaches affected 3% of the individuals
- Hard drives were involved with 1% of the breaches affected 47% of the individuals
- Post cards were involved with 1% of the breaches affected 8% of the individuals
- Other locations were: mailings, backup tapes, CD's, Electronic Medical Record systems, Paper Records, Films, Network Servers and Email.
More details in the post.
Categories: Healthcare Tags: HHS, HIPAA, HITECH Act
Great article in Network Computing about HITECH and HIPAA’s influence on healthcare organizations
"...The flurry of activity around security in the health care industry is largely a product of the HITECH (Health Information Technology for Economic and Clinical Health) Act, passed as part of the Obama administration's stimulus package passed a year ago. The act takes a carrot-and-stick approach to spur the conversion of all patient information to electronic health records. The federal government is offering $19.2 billion in incentives to organizations that meet its requirements, starting in 2011. On the other hand, the act provides penalties for non-compliance starting in 2015 and stiffer penalties for violating HIPAA, which has been largely unenforced.
The message to health care organizations struggling to protect patient information and other sensitive data under the HITECH Act, HIPAA and other compliance mandates is no different from the one enterprises across every vertical are hearing: Implement a risk-and standards-based approach across the organization and you're likely to succeed. Focus on technology and operations, and you'll certainly fail. "Make sure you've done good job of organizing around security throughout the organization," said Brian Cline, director of information security at Catholic Health East. "Adopt a governance model to have successful security, otherwise security will just be an IT problem...."
Categories: Healthcare Tags: HIPAA, HITECH
HIPAA complaints to HHS OCR drop in 2009
HIPAA complaints to the HSS OCR dropped significantly in 2009.
- No analysis was provided by the OCR as to the cause of the drop.
- Approximately 20% of the complaints required corrective actions to be taken
Categories: Healthcare Tags: HHS, HIPAA, OCR
Best practices for mobile device data encryption at HIPAA covered entitites
Patient data was copied for 2,900 patients to an employee's thumb drive at BIDMC. The employee left that organization and went to a new one (UCSF). The employee loaded that data onto a laptop at the new organization to demonstrate quality improvement reporting. That laptop was stolen. Both organizations have potential HIPAA violations to worry about based on this person's actions. Some best practices:
- Policies should require that all mobile storage devices be secured
- Encrypt all mobile devices including laptops
- Educate employees on how to protect privacy
- Sanction employees who violate policies
- Implement technologies that find transfers of medical data (especially in an unencrypted form). This should include both transfers across the network and via physical devices such as USB thumb drives, iPods, etc.
Categories: Healthcare Tags: Encryption, HIPAA, Mobile, Stolen laptop, USB lost
Can de-identified medical data be re-identified?
HHS is hiring a research contractor to answer the question "Can de-identified data be re-identified?". If de-identified (aka anonymized) medical data can be linked back to the actual patient, there are potential HIPAA security and HIPAA privacy implications. This may create problems for clinical trails and other activities.
- Healthcare providers must remove 18 identifiers in medical data for it to be considered de-identified
- The contractor will attempt to link the records back to the original patients without the use of brute force matching.
Categories: Healthcare Tags: de-identification, HIPAA
Hospital denied wife access to deceased husband’s medical records due to HIPAA
Hospital denied wife access to deceased husband's medical records due to HIPAA. Her husband did not specifically designate her as a person to which information could be released. Additionally, she received a bill that seemed to be excessive but was denied access to the details for the charges. Security and privacy are great goals, but they aren't without costs such as occasional situations like this.
Categories: Healthcare Tags: HIPAA, Michigan
HIPAA v2′s effect on clinical trials
Executive Director of the association of Clinical Research Organizations says that new HIPAA requirements may make the investigator-clinical trial communication more complicated. Potential impact on HIPAA security and HIPAA privacy.
Categories: Healthcare Tags: clinical trial, deidentification, HIPAA
Potential HIPAA privacy violation at Indianapolis hospital
Potential HIPAA privacy violation at Indianapolis hospital: The patient was a reporter for a TV station and the person who received the bill was an attorney. I wonder if neither was the case would this have become public? These types of errors are often reported as one time event, however I highly suspect that the occurrences are common however the reporting is sporadic.
Categories: Healthcare Tags: HIPAA, Indiana