Corporate Compliance

OCR data breach tally passes a milestone

Compliance Monitor, August 17, 2011

Covered entities (CE) have reported breaches of unsecured protected health information affecting 500 or more individuals to the Office for Civil Rights (OCR) nearly once every other day since the HIPAA privacy and security enforcer began posting this information 18 months ago.

The list, posted on the OCR breach notification website, reached 300 entries last week. The website began posting breaches dating back to September of 2009 in February 2010. This amounts to approximately 13 breaches per month since the fall of 2009.

The website is part of the breach notification interim final rule, in effect since September 2009. OCR withdrew the rule from the Office of Management and Budget (OMB), which reviews rules for government agencies, a little more than a year ago. OCR wanted more time to pursue changes to the rule.

Rule provisions require:

  • Notice to patients of breaches “without reasonable delay” within 60 days
  • Notice to CEs by business associates (BA) when the latter discover a breach
  • Notice to prominent media outlets when breaches affect more than 500 individuals
  • Notice to next of kin when breaches affect deceased patients
  • Notice to the HHS secretary of breaches affecting 500 or more patients without reasonable delay
  • Annual notice to the HHS secretary of breaches affecting the unsecured PHI of fewer r than 500 patients that pose a significant financial risk or other harm to an individual, such as reputation

Most Popular