OCR Annual Report to Congress on HIPAA Breaches: Theft, Loss and Unauthorized Access to PHI Continue to Be Concerns

The Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) recently submitted its annual HIPAA breach notification report to Congress as required by the HITECH Act for years 2011 and 2012.  The report discussed both large HIPAA breaches (involving greater than 500 people, which must be reported to OCR within 60 days) and smaller HIPAA breaches (involving less than 500 people, which must be reported to OCR annually).  The report showed that the greatest number of large incidents requiring HIPAA breach notification during this time period were attributed to the theft of electronic equipment/portable devices or paper containing electronic protected health information (ePHI).

The second most frequent cause of large incidents requiring HIPAA breach notification was unauthorized access or disclosure of records containing PHI and the third most frequent cause in both 2011 and 2012 was “loss of electronic media or paper records containing PHI.”

In 2012, laptop computers were the most common location of PHI that was involved in a HIPAA breach, taking the place of paper, which was the most common location in 2011.  This likely demonstrates the increasing shift from paper to electronic records and the need to protect ePHI accordingly.

In the report, OCR recommends that covered entities as part of their HIPAA compliance efforts, pay particular attention to the following:

–        Risk analysis and risk management

–        Security evaluation in response to operational or technical changes

–        Security and control of portable electronic devices including policies and procedures governing the receipt and removal of portable electronic devices and media

–        Proper disposal of all forms of PHI, including appropriately purging or wiping electronic devices containing ePHI

–        Physical access controls limiting access to facilities and workstations that house ePHI

–        Training employees on appropriate safeguards and ensuring that the employees are aware of sanctions and consequences that will be imposed for HIPAA violations

For more information about HIPAA and handling HIPAA breaches, please see our HIPAA resources page or contact one of our HIPAA attorneys.

Speak Your Mind

*