OCR Annual Report Highlights Breaches Of Unsecured Protected Health Information

more+
less-

The Health Information Technology for Economic and Clinical Health Act ("HITECH") requires Covered Entities and Business Associates to provide notification of breaches of unsecured Protected Health Information. The Department of Health and Human Services ("HHS") issued its Breach Notification for Unsecured Protected Health Information Interim Final Rule on August 24, 2009 (74 Fed. Reg. 42740). On January 25, 2013, HHS published modifications to the Breach Notification Rule and made the provisions permanent (78 Fed. Reg. 5566). HITECH also requires the Secretary of HHS (the "Secretary") to prepare and submit an annual report to Congress containing the number and nature of breaches reported to the Secretary, and the actions taken in response to those breaches. The Secretary filed her report on June 10, 2014, for breaches occurring in calendar years 2011 and 2012.

The Report noted that the Office of Civil Rights ("OCR") of HHS, the agency responsible for enforcing privacy and security requirements under the Health Insurance Portability and Accountability Act ("HIPAA"), opened investigations into all 458 breaches affecting 500 or more individuals that occurred in 2011 and 2012. Although many investigations remain open, others have been closed after achieving voluntary compliance, through corrective action and technical assistance, through resolution agreements, and where it was concluded that no violation occurred. OCR determined that much can be learned about the areas of vulnerability in the privacy and security of Protected Health Information from the breach notifications it receives. The Report recommended particular attention to the following compliance efforts:

  • Risk Analysis and Risk Management
  • Security Evaluation
  • Security and Control of Portable Electronic Devices
  • Proper Disposal
  • Physical Access Controls
  • Training

OCR believes the breach notification requirements are achieving their twin objectives of increasing public transparency in cases of breach and increasing accountability of Covered Entities and Business Associates. The Report underscores the need for Covered Entities and Business Associates to review their privacy and security safeguards to insure they are adequate and meet applicable regulatory requirements.

The Report may be accessed on the OCR website at http://www.hhs.gov/ocr/privacy/index.html.


 

 

Topics:  Annual Reports, Breach Notification Rule, HHS, HITECH, PHI

Published In: General Business Updates, Health Updates, Privacy Updates, Science, Computers & Technology Updates

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Miller & Martin PLLC | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »