This year is on track to have the fewest large-scale breaches of patient-identifiable medical data since HHS' Office for Civil Rights started recording such incidents in 2009, Modern Healthcare reports (Conn, Modern Healthcare, 11/12).
The 2009 federal economic stimulus package included a provision that tightened HIPAA protections by requiring health care providers, insurers and business associates to report breaches of patient health information.
Under the requirements, organizations must submit annual reports on small-scale breaches affecting fewer than 500 individuals. Large-scale breaches that affect 500 or more individuals must be reported promptly. OCR publicly posts information about large breaches on its website (iHealthBeat, 8/2).
As of Sept. 15, OCR had recorded 87 large-scale health data breaches during 2012, for an average of 10.2 breaches per month. In comparison, OCR recorded an average of:
- 12.8 large-scale breaches per month last year;
- 17.8 large-scale breaches per month in 2010; and
- 13.3 large-scale breaches per month during the latter half of 2009, the first year of the reporting program.
The average large-scale breach in 2012 involved the data of 22,043 individuals, while the average large-scale breach last year involved the data of 71,368 individuals.
Since OCR started tracking large-scale data breaches, it has recorded information on 507 incidents that exposed the records of nearly 21.3 million individuals (Modern Healthcare, 11/12).