OCR Annual Report Highlights Breaches Of Unsecured Protected Health Information


The Health Information Technology for Economic and Clinical Health Act ("HITECH") requires Covered Entities and Business Associates to provide notification of breaches of unsecured Protected Health Information. The Department of Health and Human Services ("HHS") issued its Breach Notification for Unsecured Protected Health Information Interim Final Rule on August 24, 2009 (74 Fed. Reg. 42740). On January 25, 2013, HHS published modifications to the Breach Notification Rule and made the provisions permanent (78 Fed. Reg. 5566). HITECH also requires the Secretary of HHS (the "Secretary") to prepare and submit an annual report to Congress containing the number and nature of breaches reported to the Secretary, and the actions taken in response to those breaches. The Secretary filed her report on June 10, 2014, for breaches occurring in calendar years 2011 and 2012.

The Report noted that the Office of Civil Rights ("OCR") of HHS, the agency responsible for enforcing privacy and security requirements under the Health Insurance Portability and Accountability Act ("HIPAA"), opened investigations into all 458 breaches affecting 500 or more individuals that occurred in 2011 and 2012. Although many investigations remain open, others have been closed after achieving voluntary compliance, through corrective action and technical assistance, through resolution agreements, and where it was concluded that no violation occurred. OCR determined that much can be learned about the areas of vulnerability in the privacy and security of Protected Health Information from the breach notifications it receives. The Report recommended particular attention to the following compliance efforts:

  • Risk Analysis and Risk Management
  • Security Evaluation
  • Security and Control of Portable Electronic Devices
  • Proper Disposal
  • Physical Access Controls
  • Training

OCR believes the breach notification requirements are achieving their twin objectives of increasing public transparency in cases of breach and increasing accountability of Covered Entities and Business Associates. The Report underscores the need for Covered Entities and Business Associates to review their privacy and security safeguards to insure they are adequate and meet applicable regulatory requirements.

The Report may be accessed on the OCR website at http://www.hhs.gov/ocr/privacy/index.html.



DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Miller & Martin PLLC | Attorney Advertising

Written by:


Miller & Martin PLLC on:

JD Supra Readers' Choice 2016 Awards
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.