News

Breach notifications up in wake of new HIPAA security, privacy rules

Jean DerGurahian

The federal government has reviewed 35 security reports and required providers to send out more than 700,000 breach notifications since changes to HIPAA security laws went into effect late last year.

    Requires Free Membership to View

As of the end of January, providers reported 35 breaches of secure personal health information to the Office for Civil Rights. Each breach affected more than 500 individuals. In all, 712,000 breach notifications were sent, said Susan McAndrew, deputy director of health information privacy for the OCR. McAndrew presented an overview of new privacy and security laws during the 18th National HIPAA Summit being held this week in Washington.

McAndrew’s presentation was the first in the three-day conference that explores changes to HIPAA, the Health Insurance Portability and Accountability Act of 1996. As the health care industry prepares to implement more health information technology, the government hopes HIPAA rule changes will result in more stringent protections for personal health information stored in electronic health record systems and other electronic databases.

Now these people are learning
the cost-
effectiveness of encryption.

Susan McAndrew, deputy director of health information privacy, Office of Civil Rights

In most cases, a breach notification was necessary because large sets of electronic data were lost when the devices storing personal health information were targeted in thefts, the OCR said. “You don’t leave the stuff in your car,” McAndrew said. “Now these people are learning the cost-effectiveness of encryption.”

Under expanded privacy and security laws required through the HITECH Act, which was passed Feb. 17, 2009, the OCR has the right to impose monetary penalties from $100 to $50,000 per information breach. It was unclear from the presentation whether any penalties were given in the case of the 35 breaches.

During a pre-conference session, privacy experts reiterated the need for better data protection so providers aren’t caught in lengthy breach notification processes. “Encryption is a safe harbor for anything electronic,” said James Wieland, principal and chair of the health IT practice at Ober, Kaler, Grimes & Shriver in Baltimore.

Let us know what you think about the story; email Jean DerGurahian, News Writer.


Join the conversation Comment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.