The following is from Home Health Line. For more news and information on home health and hospice, visit homehealthline.decisionhealth.com.
The feds’ dishonor roll of entities that have sustained a HIPAA breach of 500 individuals or more has topped 2,000 for the first time.
If you go directly to the U.S. Department of Health and Human Services Office for Civil Rights (OCR) Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information — informally known as the Wall of Shame — you’ll find that there are 1,684 resolved reports of HIPAA breaches involving 500 or more individuals, and 363 such breach reports that are currently under investigation, for a grand total of 2,047 since 2009.
Various sources, including HIPAA Journal and the McDonald Hopkins law firm, noted the milestone in August. HIPAA breaches are impermissible uses or disclosures under the HIPAA Privacy Rule that compromise the security or privacy of protected health information (PHI).
This doesn’t count the tens of thousands of breaches affecting fewer than 500 individuals. which are also reportable, though these affected entitites have up to 60 days after discovery to tell OCR about it, while 500-and-over breaches must be reported to both OCR and the affected individuals immediately — and are more likely to draw an OCR press release and a huge fine (and a spot on the Wall).
It’s worth remembering, though, that you can be fined millions of dollars for small breaches if the breach is egregious enough — as when a Texas hospital outed an undocumented immigrant’s PHI in 2015 and had to pay $2.4 million.