Looking for a Business Associate Agreement? Download our FREE starter template.
Total HIPAA Logo

Analysis of the Annual Report to Congress on Breaches of Unsecured PHI

For Calendar Years 2011 and 2012

Just released, the original report is pretty long, and well, let’s face it, a little (actually, very) boring. (Here it is if you want to brave it-HHS Report) I’m going to extract a few highlights for you over the next couple of weeks because that’s what I do here at Total HIPAA… I read the stuff that you don’t want to, translate it into common everyday language, and try to make it valuable. You’re welcome, Internet friends!

On to the report.. We are going to be talking about breaches first, and no, we aren’t talking about pants, though you can lose them if you have a HIPAA violation. For those of you new to HIPAA, breaches of over 500 individuals’ PHI must be reported to HHS when you notify the individuals their PHI has been compromised, or within 30 days of discovery. Any breaches affecting under 500 individuals should be logged and submitted within 60 days of the end of the calendar year. There is an online form for you to submit breaches here, https://ocrnotifications.hhs.gov/

Ok, on first read, I’m horrified at the number of breaches that affected more that 500 people in 2011. The number is 236 reported breaches affecting approximately 11,415,185. Yes it is over 11 million, and no, I did not make this up. The Office of Civil Rights (OCR) says this year was a little out of the ordinary since there were a number of larger breaches that were reported. One for over a million, another for 2 million, and lastly one for nearly 5 million… seriously?!?! The reason these are listed as approximate is the violators weren’t really certain how many records were affected; guess you lose count after a while?

So, who was doing all this breaching? Well, it turns out that huge breach of almost 5 million people was by a business associate. The offending party was Science Applications International Corp., of McLean, Va. They reported to their client, Tricare, they had lost unencrypted backup drives, a mere 4.9 million records. If you’ve been reading my blog, you will know how I feel about encryption. Just to reiterate, EVERYTHING must be encrypted and password protected at ALL TIMES! Have a laptop? Encrypt it! Have a mobile device? Encrypt it! See a pattern here?
2011 Breaches by Entity
What I find most interesting is, when I travel around and speak about HIPAA, everyone groans when I bring up the new Common Agency provision in HIPAA. This is the part of the Omnibus ruling that says, “You are responsible for your Business Associates compliance.” Any wonder where this came from? Yeah, the Business Associates only had 27% of the reported breaches in 2011, but were responsible for 64% of the total number of people whose information was breached.
This is why I tell everyone I speak with, present to, consult with, and pass casually on the street (ok, the last one is a bit of a stretch) to audit their Business Associates before you do business with them. You want to see, Privacy and Security Policies and Procedures, any subcontractor agreements they have, Notice of Privacy Practices, and training logs. Their breaches are now your breaches, and we here are trying to keep you from losing your breeches in the process!

If you want to keep track of what were are up to here at Total HIPAA, you can follow our blog by registering over on the right, Twitter, Google+, Facebook, and/or LinkedIn. If you enjoy and read our blogs, make sure to throw us some love!

Till next week!

By: Jason Karn

Sharing is caring!


Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.

Download Now

Let's keep in touch

Stay up to date on the latest HIPAA news, plus receive tons of free tools and info.

Navigating HIPAA Compliance in 2023

Watch the recording of this webinar to learn more about how you can become and stay HIPAA compliant!


Related Posts

What is Access Control in terms of HIPAA?

What is Access Control in terms of HIPAA?

Access control, in terms of cybersecurity, refers to the practice of managing and regulating who can access specific resources, systems, or data within an organization's network or information...

Comparing HIPAA and NIST

Comparing HIPAA and NIST

In the ever-evolving landscape of data security and privacy, two key frameworks have emerged as significant players: HIPAA and NIST. Both emphasize the importance of safeguarding sensitive...

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Your cart email sent successfully :)