The number of entities that have reported major patient information breaches to HHS' Office for Civil Rights nearly tripled from 32 in February to 93 by June 11, HealthLeaders Media reports.
The health IT provisions of the 2009 federal economic stimulus package require OCR to publicize information about any breaches involving 500 or more individuals. The requirement was included in the interim final rule on breach notification, which took effect in September 2009.
Seventeen of the 93 breaches posted on OCR's website involve business associates of entities covered by the HIPAA privacy and security rules.
Ten of the reported breaches involve entities classified as a "private practice." Currently, OCR does not post the names of private practitioners without their consent because of protections under the Privacy Act of 1974. However, OCR said it soon will begin posting the names of individuals categorized as private practice because the "routine use" provision of the privacy act allows the office to post names without prior consent.
The largest breach reported to OCR thus far involved the Florida insurer AvMed, which reported that data on 1.22 million individuals were compromised after a laptop theft in December 2009.
OCR said it will continue to update its website as it receives new reports of data breaches (Nicastro, HealthLeaders Media, 6/11).