Last week, the U.S. Department of Health and Human Services (“HHS”) released two reports to Congress, pursuant to its obligations under the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”): a report on Breaches of Unsecured Protected Health Information for 2011 – 2012 (the “Breach Report”) and a report on compliance with the HIPAA Privacy and Security Rules for 2009 – 2010 (the “Compliance Report”).
In the Breach Report, HHS explained what constitutes a Breach under HIPAA, described compliance requirements, provided an overview of reported Breaches from 2011 – 2012, and described the HIPAA audit program piloted in 2012. HHS also reported certain interesting statistics regarding Breaches:
- In 2011, HHS received 236 reports of Breaches affecting 500 or more individuals (“Large Breaches”). In total, Large Breaches reported in 2011 affected approximately 11,415,185 people. In 2012, HHS received 222 reports of Large Breaches that collectively affected approximately 3,273,735 individuals.
- In 2011, 50% of reported Breaches were a result of theft, 19% were a result of an unauthorized use or disclosure of Protected Health Information (“PHI”), 17% were a result of loss, and 14% were due to another cause. In 2012, 53% of reported Breaches were a result of theft, 18% were a result of an unauthorized use or disclosure of PHI, 12% were a result of loss, and 18% were due to another cause.
- In 2011, with respect to Large Breaches, health care providers accounted for 63% of Breach reports, Business Associates submitted 27% of Breach reports, and health plans were responsible for 10% of Breach reports. In 2012, with respect to Large Breaches, health care providers accounted for 68% of Breach reports, Business Associates submitted 25% of Breach reports, health plans were responsible for 7% of Breach reports, and health care clearinghouses were responsible for less than 1% of Breach reports.
- At the end of 2013, HHS had entered into resolution agreements with seven Covered Entities resulting from reported Breaches, six of which were Large Breaches, from 2011 – 2012. Four of these Breaches involved the theft of devices containing unsecured PHI. Cumulatively, through their resolution agreements, these seven entities paid $8 million to the government.
- Based on the types of Breach reports submitted, HHS advises that entities subject to HIPAA should ensure completion of risk evaluations, secure portable electronic devices, provide for proper disposal of PHI, implement physical access controls, and provide trainings to members of the workforce. These are important steps to take to limit the likelihood of a Breach.
In the Compliance Report, HHS provided background on both the HIPAA Privacy Rule and the HIPAA Security Rule. HHS also provided statistics regarding complaints, investigations, and compliance reviews:
- Between April 14, 2003, and December 31, 2010, HHS received 57,375 complaints under the Privacy Rule. Of these, 5,036 (about 9%) have yet to be resolved. Of Privacy Rule complaints resolved, HHS investigated 19,161 submissions. HHS mandated corrective action in 12,573 cases (about 66%) and determined there had been no violation in 6,588 cases (about 34%). HHS determined that the other 33,178 cases “did not present an eligible case for enforcement of the Privacy Rule,” either because HHS lacked jurisdiction, the complaint was not timely or withdrawn, or the conduct in question occurred prior to the compliance date, not by an entity covered by the Privacy Rule, or did not violate the Privacy Rule.
- Between April 14, 2003, and December 31, 2010, HHS also opened 59 Privacy Rule compliance reviews not arising from complaints from individuals, of which 43 have been resolved.
- Between April 20, 2005, and December 31, 2010, HHS received 803 complaints under the Security Rule. Of these, 226 (about 28%) have yet to be resolved. Of Security Rule complaints resolved, HHS investigated 289 submissions. HHS mandated corrective action in 150 cases (about 52%) and determined there had been no violation in 139 cases (about 48%). HHS determined that the remaining 288 resolved cases were ineligible for enforcement of the Security Rule.
- Between April 20, 2005, and December 31, 2010, HHS also opened 38 Security Rule compliance reviews not arising from complaints from individuals, of which 23 have been resolved.
The Compliance Report also contains descriptions of recent enforcement activity. For further information regarding HIPAA enforcement, please refer to our HIPAA enforcement tracker located under the “Trackers and Presentations” section on this page and under the “Resources” tab above.