HIPAA Regulatory Alert

HHS reports complaints and breaches to Congress

Data breaches impact almost 8 million people

More than 57,000 complaints of Privacy Rule violations were received by the Health and Human Services' (HHS) Office for Civil Rights (OCR) between April 2003 and December 2010. More than 250 large data breaches, defined as those involving the protected health information of more than 500 individuals, occurred in 2009 and 2010.

These are just a few of the statistics reported to Congress by HHS as mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act. More than 19,000 of the Privacy Rule complaints were investigated, with no violation found in 34% of the cases. Of the 800 complaints about Security Rule violations received, nearly half of the 290 complaints investigated were not found to be violations.

The most common compliance issues with the Privacy Rule that the OCR investigated were the following, in order of frequency:

• impermissible uses and disclosures of personal health information (PHI);

• lack of safeguards of PHI;

• denial of individuals' access to their PHI;

• uses or disclosures of more than the minimum necessary PHI;

• inability of individuals to file complaints with covered entities. The most common areas for which entities failed to demonstrate adequate policies and procedures or safeguards, as required under the HIPAA Security Rule, include the following, listed by frequency: — response and reporting of security incidents; — security awareness and training; — access controls; — information access management; — workstation security.

A separate report on data breaches in 2009 and 2010 showed that covered entities notified a total of 7.8 million people that their protected health information (PHI) was compromised in a data breach. The most common cause of data breaches in both years covered by the OCR report was theft of paper records or electronic media containing patient information. Other top causes of breaches included unauthorized access, use or disclosure of protected patient information, and human error.

In addition to the large breaches, covered entities reported more than 30,500 smaller breaches to HHS in 2009 and 2010. The OCR report indicated that most of those breaches affected just one individual and were caused by misdirected communications, such as mistakenly mailing or faxing clinical or claims data or test results to the wrong person. (Editor's note: To see a copy of the full reports presented to Congress, go to www.hhs.gov/ocr/privacy. Under the "Reports to Congress" section on the right navigational bar, choose "HITECH Act Reports to Congress, 9/1/11.")