On June 11, 2014, the US Department of Health and Human Services (“HHS”) issued two reports to Congress addressing Health Information Accountability and Portability Act of 1996 (“HIPAA”) compliance activities for calendar years 2011 and 2012. The first report, relating to breaches of unsecured HIPAA-protected health information, describes the types and numbers of breaches reported to the HHS Office for Civil Rights (“OCR”) in 2011 and 2012. HHS’s report disclosed that OCR received 458 reports of breaches of 500 or greater individuals in 2011 and 2012, which in total represented approximately 14.7 million individuals. HHS reported that the largest breach in 2011 “was the result of a loss of back-up tapes by a business associate and affected approximately 4.9 million individuals. . . . The largest breach reported as a theft in 2011 involved an unencrypted desktop computer stolen from a covered entity’s facility during a burglary, which contained the PHI of just under 1 million individuals.” HHS further reported that the largest breach in 2012 due to theft “involved an unencrypted laptop that was stolen from an employee’s personal vehicle. This incident affected 116,506 individuals.” HHS reported that OCR “entered into resolution agreements with seven covered entities as the result of investigations opened in response to breach reports submitted to OCR for breaches that occurred through the end of 2012.”
HHS’s second report, relating to HIPAA privacy, security, and breach notification rule compliance, disclosed that “from April 14, 2003 . . . to December 31, 2012, OCR received 77,190 complaints alleging violations of the HIPAA Rules. As of December 31, 2012, OCR resolved 70,259, or 91 percent, of the complaints received. . . . In 42,793 of the resolved cases, OCR determined that the complaint did not present an eligible case for enforcement of the HIPAA Rules.” Demonstrating the frequency that HIPAA compliance reviews may be initiated due to a reported breach, HHS disclosed that in 2012, “OCR opened at least 235 compliance reviews addressing allegations of violations of the HIPAA Rules that did not arise from complaints. Of these, 222 compliance reviews were opened as a result of a breach report affecting 500 or more individuals.”
More information on HHS’s breach report may be found here; a copy of the report may be found here. More information on HHS’s report on privacy, security, and breach notification rule compliance may be found here; a copy of the report may be found here.