By Jack Anderson
June 16, 2014
While the big HIPAA breaches get the headlines and the big fines, a multitude of small leaks are reported every year and now they are starting to get large fines. $1 million dollars for the loss of 192 records is probably the most notable but there are many other examples.
The HHS’ Office for Civil Rights recently submitted a new report, Annual Report to Congress on Breaches of Unsecured Protected Health Information for Calendar Years 2011 and 2012
2011: 25,700 smaller breaches affecting a total of about 152,00 individuals, almost 16,000 involved paper records.
2012: 21,200 smaller breaches affecting a total of approximately 165,000 individuals, almost 13,000 incidents involved paper records.
While these numbers are significant it should be noted that many of these small breaches go unreported. Either they involved parties didn’t know about the breach or they chose to ignore it.
Preventing these breaches is primarily a matter of staff training but you should also be careful to make sure that your business associates have proper training and awareness also. Handing off PHI whether electronic or paper should only be done with the awareness that your responsibility does not cease at that point.
A recent case illustrates this; See if you can follow the bouncing ball or in this case PHI:
Concentra Urgent Care in Bakersfield created the PHI. They were sold to Accelerated Urgent Care and the records transferred. Accelerated sent them to a contractor (not yet named). They were vound in a public recycleing bin.
Who is at fault? Probably all of them but Concentra gets the biggest black eye because they just paid a big fine for a HIPAA breach.