By Ron Benvenisti. The HHS Office for Civil Rights (OCR) reports over 10 Million individuals private health information have been exposed to the public domain as of April 4, 2011. What does this mean to you? Your personal health information may have been exposed to the public which is a violation of your civil rights and can cause damages to you and your family members. You can unwittingly be a target of fraudulent marketing, financial scams and a high risk of identity theft.
Under the Health Information Technology for Economic and Clinical Health Act (HIPAA HITECH 5010 Act), enacted as part of the American Recovery and Reinvestment Act of 2009, health care facilities must report to the Secretary of the U.S. Department of Health and Human Services (HHS) privacy or security breaches within 60 days of discovery.
In turn the HHS OCR is required by law to post those breaches on its Web site. You can see if any of your health care providers have released private records into the public domain by checking the national listing at:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
Some of the affected reporting facilities in New Jersey are:
Saint Barnabas Medical Center; 3630 Individuals on 5/10/2010
Newark Beth Israel Medical Center; 956 Individuals on 5/10/2010
Newark Beth Israel Medical Center; 1744 Individuals on 1/1/2010
Be advised that you may also be affected by:
1. Many other providers, such as claims processors and insurance carriers which are located out of state.
2. Many providers DO NOT report data breaches, especially small to mid-sized clinics, doctor’s offices and other outpatient facilities such as labs and specialty facilities for MRI, Ultra-Sound, etc.
If you are concerned that your data may be exposed, ask your health care provider to provide you with a written statement that:
A: A breach has not occurred.
B: Your records are not at risk and
C: The provider is fully compliant with the HIPAA HITECH 5010 timeline as required by Federal Law.
The Details:
The HHS Office for Civil Rights (OCR) is responsible for public privacy and security enforcement under the Health Insurance Portability and Accountability Act (HIPAA) and HITECH Act.
As of April 4, 2011, OCR reported a total of 256 breaches which have impacted 10,202,051 persons reported by covered entities. These data losses and exposures took place between September 22, 2009 (which “coincidentally” was the day prior to the effective date of the Breach Notification Rule) and February 8, 2011.
Just one of seven newly posted breaches on the OCR web site put the number of affected individuals at over 10 million!!!!
Here are some highlights:
“California-based Health Net, Inc. reported a breach affecting 1.9 million individuals on January 21, 2011 from an “unknown” type of breach and “other ” location of breached information. Health Net issued a news release pertaining to this reported incident on March 14, 2011, which is available online. In that news release, Health Net indicated that a business associate, IBM, had notified Health Net that “it could not locate several server drives.” Health Net is continuing to investigate the whereabouts of those drives and is offering affected parties several risk mitigation monitoring and insurance remedies to potential misuse of personal health information (PHI) identifiers and resultant consequences”.
A Warning to Patients and Providers Alike:
A rapidly growing number of individuals are being affected by privacy and security breaches. Accordingly OCR, the agency is strengthening audit and enforcement activities regarding entities and business associates who are required to be compliant. They have the right to walk in at anytime to assess and examine compliance efforts to adhere to the HIPAA/HITECH Act privacy and security rules. The final deadline is January 1, 2012, no extensions. No compliance, no billing.
OCR cites a huge lack of training of workforce members to safeguard electronic, hardware, devices, and media containing PHI is a significant problem. This can cause entities and their operators to be cited by what may appear as an “oversight” or “mistake” by an untrained employee resulting in the entities’ exposing PHI and being shut down, fined and in some cases the executive staff being imprisoned. In one case an owner was fined and imprisoned for four months.