Posted on January 11, 2013
As required by the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), the Department of Health and Human Services (“HHS”) maintains a public list of unsecured electronic Protected Health Information (“PHI”) breaches affecting 500 or more individuals. As of January 1, 2013, the HHS list identifies over 500 breaches. The HHS list also publishes the names of the providers who have reported the breaches and summaries of the breach cases investigated by the government.
The Ponemon Institute estimates that the economic impact of only one data breach is about $537,186. Nearly half of reported breaches are attributed to the theft or loss of a mobile device and therefore, HHS has recently launched a website focusing on mobile device security (healthit.gov).
Further, as demonstrated by a recent settlement agreement between the HHS and Hospice of North Idaho, it is noteworthy that even though the published HHS list does not include breaches affecting less than 500 individuals, the government will continue to pursue HIPAA violations affecting less than 500 individuals.
For more information on complying with patient privacy regulations and recent enforcement actions, see Attorney Sadaly’s article on compliance with HIPAA and the HITECH Act.
Joy E. Sadaly is an associate at Knox, McLaughlin, Gornall & Sennett, P.C. who focuses her practice at the intersection of health care, business, and technology. If you have questions or concerns about complying with HIPAA and the HITECH Act, you can contact us at 814-459-2800.