Posted by: Arian Eigen Heald
Data Breaches, DataManagement, Identity theft, information security, information security policy, medical identity theft
The Department of Health and Human Services has posted a list of the covered entities, (i.e., those that come under HIPAA regulations) that have reported health information data breaches impacting more than 500 people.
DHHS is now required by the HITECT Act to post the list, which includes the covered entity’s name, the nature of the breach and the number of individuals affected.
It’s worth noting that the 36 incidents posted date only from Sept. 22, 2009–when entities were first required to start reporting the breaches–to Jan. 18, 2010.
Out of the 36 incidents, 29 were due to theft.
Out of the 29 incidents, 16 were due to “portable electronic devices,” (mostly laptops and a few USB drives). That’s 50% of the thefts.
HIPAA requires that the entities (by which they mean: hospitals, private practices, higher education health care, health insurance companies, etc., etc.) have an a documented agreement with third party associates they use to process health-care information. In other words, the billing companies, drug companies, medical marketers, medical transcribers and any other associate that handles Personally Identifiable Health Information (PIHI).
Of the 36 incidents, seven occurred at associates. That’s about 20% of reported events.
Given today’s regulatory climate, as well as business improvements by outsourcing, it’s worthwhile to consider the risk of outsourcing handling of specific health and financial information.
If you review the list, you can see that the organization is listed first, whether or not the loss was from an business associate. That’s a list that no business (health care or otherwise) wants to be on. Does your organization have those kinds of relationships? (Think payroll, health billing, HR databases?)
What kind of agreement is in place to protect that data? (And your company?) Has anyone verified that they are handling the data securely? Organizations tend to think that they have offloaded the reputation and financial risk by outsourcing that information. They should take a look at that list and think again.