Journal of AHIMA - October 2011

Dramatic Differences Separate Large and Small Breaches

BETWEEN THE START of reporting on September 23, 2009, and the end of 2010, OCR received reports of nearly 31,000 breaches as defined by the breach notification rule. Fewer than 1 percent involved large-scale breaches, but those incidents accounted for 99 percent of all breached records.

CATEGORY NO. OF REPORTS NO. OF INDIVIDUALS AFFECTED

LEADING CAUSE

500 or more individuals 252 7,800,000

Theft of paper records or electronic media

Fewer than 500 individuals 30,521 62,000

Misdirected communications

The reason is that the leading cause of small breaches was misdirected communications, typically a clinical or claims record mailed, e-mailed, or faxed to the incorrect individual.

Years 2009 and 2010.” September 1, 2011. www.hhs.gov/ocr/ privacy/ hitechrepts.html.

At the root of these incidents were poorly compiled patient data and human error. Organizations reported fixing computer errors, training staff, and revising policies and procedures to address the root cause of the problems.

Kevin Heubusch ( kevin.heubusch@ahima.org) is editor-in-chief at the Journal of AHIMA.

Remedial Actions

HITECH also requires HHS report to Congress the actions covered entities have taken in response to breaches. (These actions do not reflect remediation resulting from an OCR investigation.) The results offer all organizations a useful checklist of actions they can take to prevent breaches in the first place.

Organizations reporting breaches involving more than 500 in-
dividuals took the following remedial steps in reponse:
x Revising policies and procedures
x Improving physical security by installing new security
systems or by relocating equipment or records to a more
secure area
x Training or retraining workforce members who handle
protected health information
x Providing free credit monitoring to customers
x Adopting encryption technologies
x Imposing sanctions on workforce members who violated
policies and procedures primarily in response to serious
employee errors, removing protected health information
from the facility against policy, and unauthorized access
x Changing passwords
x Performing a new risk assessment
x Revising business associate contracts to more explicitly
require protection for confidential information

Approximately half of organizations that reported breaches involving the theft or loss of electronic protected health information indicated they were implementing encryption technologies to avoid future breaches. ¢

Reference

US Department of Health and Human Services, Office for Civil Rights. “Annual Report to Congress on Breaches of Unsecured Protected Health Information for Calendar