Since the HITECH Act data breach notification provisions became effective this past September 23, 2009, I’d recently become curious about the number and nature of data breaches that would start to appear on the website at the Department of Health and Human Services (HHS).
The HHS Rules require healthcare organizations (specifically HIPAA covered entities) to report to HHS any data breach incidents that have affected over 500 individuals, shortly after the breach is discovered. I noticed that the Identity Theft Resource Center (ITRC) 2009 ITRC Breach Report, a terrific compendium of public information from numerous sources on data breach incidents, had captured numerous healthcare data breaches since the September 23rd effective date. And of course there have been several very high profile healthcare data breaches recently including the Blue Cross Blue Shield Assocation breach that affected over 850,000 of their medical providers, as well as the recent Health Net data breach affecting over 1.5MM individuals.
So with great anticipation I visited the HHS website where there is a section on the Breach Notification Rule and clicked on the following link:
“View Breaches Affecting 500 or More Individuals. OCR must post a list of breaches that affect 500 or more individuals. View a list of these breaches.”
And surprisingly, there was nothing there. Now, it is very hard to imagine that no data breaches have been detected since September 23rd that affected over 500 individuals and would have had the potential to lead to harm for the affected population. So, I’m perplexed as to why there aren’t any data breaches over 500 individuals yet listed by HHS.
I guess it is possible that some healthcare providers may still be unaware of the reporting mandate, but it would seem unwise of others that are aware of the breach notification provisions and have experienced a sizable data breach to neglect to comply with the mandatory HHS reporting requirement. If anyone can shed light on the lack of content on the HHS data breach notification site, I think it would be of interest to all of us who are watching to see whether the public reporting provisions of the HITECH Act will result in more responsible behavior by entities to expose our protected health information (PHI).