About 7.9 million people have had their health records exposed in more than 30,750 data breaches since new breach notification requirements took effect in September 2009, according to a report to Congress by HHS' Office for Civil Rights, Modern Healthcare reports.
The 2009 federal economic stimulus package included a provision that tightened HIPAA protections by requiring health care providers, insurers and business associates to report breaches of patient health information.
Under the requirements, organizations must submit annual reports on small-scale breaches affecting fewer than 500 individuals. Large-scale breaches that affect more than 500 individuals must be reported promptly. OCR publicly posts information about large breaches on its website.
HHS Secretary Kathleen Sebelius is required to report health data breach information to Congress on a regular basis. The latest OCR report is the first to be presented to Congress under the new requirements.
According to the OCR report, more than 30,500 of the breaches that occurred in the last two years were small-scale incidents involving fewer than 500 records. The small breaches collectively caused the unauthorized disclosure of data on about 62,000 individuals.
The report noted that 252 of the breaches were large-scale incidents involving the disclosure of more than 500 records. Such breaches collectively affected about 7.8 million individuals (Conn, Modern Healthcare, 9/6).