The Centers for Medicare and Medicaid Services (CMS) failed to meet the HITECH Act’s standard for timeliness in reporting medical data breaches to beneficiaries in seven of 14 cases over a two year period, according to an Office of Inspector General report.
CMS did notify all beneficiaries about each of the 14 breaches, but they failed to do so within the recommended 60-day timeframe in half the cases. The 14 breaches affected 13,775 beneficiaries and occurred from September 23, 2009 to December 31, 2011, the agency wrote in its report.
Health care facilities should have a data breach response plan in place to react to unauthorized access of patient information. Data breaches are most often a result of misplaced or stolen laptops, with 110 of 480 reported cases attributed to that cause. User education is the most important step to take in protecting against potential data breaches, particularly with increased patient access to information as encouraged by meaningful use stage 2.
The patient data of nearly 3,900 people were put at risk during a recent data breach at Beth Israel Deaconess Medical Center (BIDMC). The data was compromised when a physician’s laptop was stolen. The risk for data breaches will always exist as long as physicians and others need access to medical information. BIDMC’s reaction to this breach was to educate its network users and encourage them to let hospital IT staff install the proper security on hospital-purchased employee devices.
More than 70% of health care professionals responded that their organizations suffered a data breach during a yearlong period, according to a survey by Veriphyr. Some data breaches take longer to detect than others, the survey also highlighted. Respondents noted that 17% of reported breaches took between two to four weeks to be discovered. A minority (16%) of the reported breaches were resolved in one to three days, while 25% were resolved in two to four weeks.
The HITECH Act redefined data breach reporting conditions. It states any Health Insurance Portability and Accountability Act (HIPAA)-covered entity must report data breaches that affect over 500 patients. There have been 400 data breaches that have met that reporting standard, as of January 2012. In addition, encrypted data is considered protected, and does not have to be reported as compromised in the event of a data breach, under HITECH Act rules.