OCR Reports on Breaches of Unsecure PHI and HIPAA Compliance.

The Department of Health and Human Services Office for Civil Rights (OCR) issued two annual reports to Congress in accordance with the Health Information Technology for Economic and Clinical Health Act.  The reports include: (1) a breach notification report containing the number and nature of breaches reported to ORC, and the actions taken in response to those breaches; and (2) a report on compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules.

As discussed in the breach notification report, from 2009 to 2012, the OCR received 710 reports affecting approximately 22.5 million individuals. Subsequent investigations have resulted in seven resolution agreements/corrective action plans totaling more than $8 million in settlements.  From 2009 to 2012, theft was the main cause of a breach, and affected the most individuals.

The compliance report notes that from 2003 to 2012, OCR resolved 70,259 out of 77,190 complaints alleging violation of HIPAA rules.

The report to Congress on the breach notification program is available at:

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachreport2011-2012.pdf.

The report to Congress on compliance with the HIPAA Privacy, Security, and Breach Notification

Rule is available at:

http://www.hhs.gov/ocr/privacy/hipaa/enforcement/compliancereport2011-2012.pdf.

Office for Civil Rights.  “Annual Report to Congress on Breaches of Unsecured Protected Health Information for Calendar Years 2011 and 2012.”  10 Jun. 2014.

Office for Civil Rights.  “Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance for Calendar Years 2011 and 2012.”  10 Jun. 2014.