Legal Disclaimer Your use of this Blog does not create an attorney-client relationship. Your e-mail or comments do not create an attorney-client relationship. We have no duty to keep confidential the information that is submitted to this blog. This blog is not a substitute for, nor does it constitute legal advice. Only an attorney who knows the details of your particular situation and is properly licensed in the applicable state (or states) is able to appropriately and properly address any legal issues you may have.
|
Content of the Notice to the Secretary of HHS for a Reportable Security Breach
By Robert Hudock, on March 1st, 2010  Print This Post
Update-
Under the HITECH breach notification requirements, covered entities must notify HHS of all reportable breaches. HHS recently released a list of breaches, including the covered entity, the business associate, number of individuals affected, and the location of the information lost. More than 35 HIPAA covered entities have reported breaches involving more than 500 individuals’ PHI since September 2009. The theft/loss of laptops, desktop and portable media by far represent the majority of the security breaches reported thus far. A summary of breaches reported thus far appears below.
Reported Breaches of PHI
Breaches Affecting 500 or More Individuals
As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals. The following breaches have been reported to the Secretary.
| Covered Entity | State | Business Associate | Individuals Effected | Date Of Breach | Type Of Breach | Location Of Breached Information |
| PMC Medicare Choice | New York | MSO of Puerto Rico | 605 | 2/04/10 | Other | Paper Records |
| MMM Health Care Inc. | New York | MSO of Puerto Rico, Inc. | 1,907 | 2/04/10 | Other | Paper Records |
| The Methodist Hospital | Texas | | 689 | 1/18/10 | Theft | Computer |
| Carle Clinic Association | Illinois | | 1,300 | 1/13/10 | Theft | Paper Records and Films |
| Ashley and Gray DDS | Missouri | | 9,309 | 1/10/10 | Theft | Desktop Computer |
| Educators Mutual Insurance Association of Utah | Utah | Health Behavior Innovations | 5,700 | 12/27/09 | Theft | CDs |
| Cardiology Consultants/Baptist Health Care Corporation | Florida | | 7,600 | 12/21/09 | Theft | Desktop Computer |
| Center for Neurosciences | Arizona | | 1,101 | 12/15/09 | Theft | Laptop |
| Goodwill Industries of Greater Grand Rapids, Inc. | Michigan | | 10,000 | 12/15/09 | Theft | Backup Tapes |
| Brown University | Rhode Island | Blue Cross Blue Shield of Rhode Island | 528 | 12/11/09 | Unauthorized Access | Paper Records |
| Private Practice | Stoughton, MA | | 1,860 | 12/11/09 | Theft | Portable Electronic Device/Electronic Medical Record |
| AvMed, Inc. | Florida | | 359,000 | 12/10/09 | Theft | Laptop |
| Blue Island Radiology Consultants | Illinois | United Micro Data | 2,562 | 12/09/09 | Loss | Backup Tapes |
| Private Practice | Wilmington, NC | Rick Lawson, Professional Computer Services | 2,000 | 12/08/09 | Hacking/IT Incident | Computer/Network Server/Electronic Medical Record |
| Kaiser Permanente Medical Care Program | California | | 15,500 | 12/01/09 | Theft | Portable Electronic Device |
| University of California, San Francisco | California | | 7,300 | 11/30/09 | Theft | Laptop |
| Detroit Department of Health and Wellness Promotion | Michigan | | 646 | 11/26/09 | Theft | Laptop, Desktop Computer |
| Advocate Health Care | Illinois | | 812 | 11/24/09 | Theft | Laptop |
| Concentra | Texas | | 900 | 11/19/09 | Theft | Laptop |
| Children's Medical Center of Dallas | Texas | | 3,800 | 11/19/09 | Loss | Portable Electronic Device |
| Universal American, Inc. | New York | Democracy Data & Communications, LLC | 83,000 | 11/12/09 | Incorrect Mailing | Postcards |
| Massachusetts Eye and Ear Infirmary | Massachusetts | | 1,076 | 11/10/09 | Theft | Other |
| Kern Medical Center | California | | 596 | 10/31/09 | Theft | Paper Records |
| Blue Cross Blue Shield Association | District of Columbia | Service Benefits Plan Administrative Services Corp. | 3,400 | 10/26/09 | Unauthorized Access | Mailings |
| Detroit Department of Health and Wellness Promotion | Michigan | | 10,000 | 10/22/09 | Theft | Portable Electronic Device |
| The Children's Hospital of Philadelphia | Pennsylvania | | 943 | 10/20/09 | Theft | Laptop |
| Public Employee Health Insurance Plan (Kentucky Employees' Health Plan) | Kentucky | | 676 | 10/20/09 | Misdirected E-mail | E-mail |
| Brooke Army Medical Center | Texas | | 1,000 | 10/16/09 | Theft | Paper Records |
| Alaska Department of Health and Social Services | Alaska | | 501 | 10/12/09 | Theft | Portable USB Device |
| Cogent Healthcare of Wisconsin, S.C. | Tennessee | Cogent Healthcare, Inc. | 6,400 | 10/11/09 | Theft | Laptop |
| Health Services for Children with Special Needs, Inc. | District of Columbia | | 3,800 | 10/09/09 | Loss | Laptop |
| Blue Cross Blue Shield Association | District of Columbia | Merkle Direct Marketing | 15,000 | 10/07/09 | Unauthorized Access | Mailings |
| Blue Cross Blue Shield of Tennessee | Tennessee | | 500,000 | 10/02/09 | Theft | Hard Drives |
| City of Hope National Medical Center | California | | 5,900 | 9/27/09 | Theft | Laptop |
| Private Practice | Torrance, CA | | 6,145 | 9/27/09 | Theft, Unauthorized Access | Desktop Computer |
| Private Practice | Torrance, CA | | 5,166 | 9/27/09 | Theft, Unauthorized Access | Desktop Computer |
| Private Practice | Torrance, CA | | 5,257 | 9/27/09 | Theft, Unauthorized Access | Desktop Computer |
| Private Practice | Torrance, CA | | 857 | 9/27/09 | Theft, Unauthorized Access | Desktop Computer |
| Private Practice | Torrance, CA | | 952 | 9/27/09 | Theft, Unauthorized Access | Desktop Computer |
| University of California, San Francisco | California | | 610 | 9/22/09 | Phishing Scam | Email |
| Mid America Kidney Stone Association, LLC | Missouri | | 1,000 | 9/22/09 | Theft | Network Server |
Older Story – October 12, 2009 — Content of the Notice to the Secretary of HHS for a Reportable Security Breach
The Secretary has delayed enforcement of the Security Breach Rules to give covered entities and business associates a reasonable amount of time to come into compliance. However, in anticipation of covered entities’ new reporting obligations, HHS on October 7th, released an online form (OMB No. 0990-0346) that appears to be the exclusive mechanism by which a covered entity can provide the required notice to the Secretary in the event of a security breach. (The form is available at http://transparency.cit.nih.gov/breach/index.cfm). The form is intended only for security breach submissions by covered entities to the Secretary; breaches involving business associates must be reported directly to the Secretary by the affected covered entity and not by the business associate.
Analysis of OMB No. 0990-0346 – HHS’s Security Breach Reporting Form
The form itself offers some insight into HHS’s understanding of security breaches and how HHS believes breaches can be mitigated and/or avoided altogether. The following are what I consider to be the most interesting questions and potential responses pre-populated within the form:
- HHS has defined seven categories of breaches within the form: theft, loss, improper disposal, unauthorized access, hacking/IT incident, other, and unknown. Theft, loss, and improper disposal are breaches that can be easily mitigated by encryption or by following the guidelines referenced by HHS for the destruction of paper/and electronic media;
- The “locations” where a breach may occur, identified by HHS, include: laptops, desktops, network servers, e-mail, other portable electronic devices, electronic medical records, paper, and other. Again this question and the pre-populated responses echo HHS’s interest in encryption for data stored on laptops, desktops, and other portable media devices. Moreover, next to loss of PHI related to theft of computer equipment, e-mail runs a close second as the next biggest source of breaches involving PHI. It is very easy for someone to mistakenly email a message to the wrong person;
- The form identifies four categories of PHI–demographic information, financial information, clinical information and other. Demographic information and especially financial information are high value targets to potential identity thieves; and
- Probably the most interesting question, from a planning perspective, requires the covered entity identify whether any of the following security controls were in place before the security incident: firewalls, packet filtering (router based), secure browser sessions , strong authentication , encrypted wireless , physical security, logical access controls, anti-virus software, intrusion detection, and biometrics.
This list of security controls is an odd combination of specific types of security controls (e.g. packet filtering router) and general categories of security controls (e.g. physical/ logical access controls). I find inclusion of biometrics and the exclusion of two factor authentication (a more general category) unusual – the utility of biometric access controls relate more generally to creating systems of two factor authentication. Two factor authentication techniques are based on any two of the following three types of methods: something you know, something you are, and something you have. One common example of two factor identification is the use of a security token that generates a seemingly random number in combination with a pin and a password to authenticate a user. Biometric methods of identification, which include fingerprint scanners, facial recognition, and retinal scanners, are either too expensive to implement as a broad-based solution or are poor quality consumer oriented solutions.
In all, it is obvious what the hot button issues are that may get the enforcement body’s (Office of Civil Rights) attention and more importantly how to avoid them: (i) encrypting portable media, (ii) firewalls, (iii) proper document destruction procedures, (iii) the existence of a physical security plan, (iv) two factor authentication, and (v) antivirus.
The form should be filled out with diligence. The form contains an attestation that the information provided is accurate, and acknowledgement that the Office of Civil Rights (“OCR”) may be required to release information provided via the form pursuant to the Freedom of Information Act, some of the information will be posted to HHS’s web site, and tOCR will use the information to provide an annual report to Congress required by the HITECH Act.
Related Blogs
Related posts: - Interim Final Rule on Breach Notification for HIPAA Covered Entities and Business Associates Released by HHS (Effective September 23, 2009) & FTC Releases Final Guidance on PHR Security Breach Notification Requirements Regulations requiring health care providers, health plans, and other entities...
- Excellent Article from American Health Lawyers Association’s Healthcare Liability & Litigation Health Briefs, on 9/9/09. by Kristen McDonald. (Republished with permission from the author.) What happens if the offices of a covered entity are...
- Business Associate and Covered Entity HIPAA Compliance — Auditing Questions and NIST 800-53 Security Controls. This article discusses techniques for implementing the updated requirements of...
- Fear Mongering or Legitimate Criticism — “HHS guts health-care breach notification law, groups warn” I am a little unclear as to why privacy advocates...
- Key Issues in Privacy and Security for 2010 Next year should be interesting. From Red Flag compliance, federal...
Improve the web with Nofollow Reciprocity. |
Computer Security Law and Guidance
|
Content of the Notice to the Secretary of HHS for a Reportable Security Breach
Update-
Under the HITECH breach notification requirements, covered entities must notify HHS of all reportable breaches. HHS recently released a list of breaches, including the covered entity, the business associate, number of individuals affected, and the location of the information lost. More than 35 HIPAA covered entities have reported breaches involving more than 500 individuals’ PHI since September 2009. The theft/loss of laptops, desktop and portable media by far represent the majority of the security breaches reported thus far. A summary of breaches reported thus far appears below.
Reported Breaches of PHI
Breaches Affecting 500 or More IndividualsAs required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals. The following breaches have been reported to the Secretary.
Older Story – October 12, 2009 — Content of the Notice to the Secretary of HHS for a Reportable Security Breach
The Secretary has delayed enforcement of the Security Breach Rules to give covered entities and business associates a reasonable amount of time to come into compliance. However, in anticipation of covered entities’ new reporting obligations, HHS on October 7th, released an online form (OMB No. 0990-0346) that appears to be the exclusive mechanism by which a covered entity can provide the required notice to the Secretary in the event of a security breach. (The form is available at http://transparency.cit.nih.gov/breach/index.cfm). The form is intended only for security breach submissions by covered entities to the Secretary; breaches involving business associates must be reported directly to the Secretary by the affected covered entity and not by the business associate.
Analysis of OMB No. 0990-0346 – HHS’s Security Breach Reporting Form
The form itself offers some insight into HHS’s understanding of security breaches and how HHS believes breaches can be mitigated and/or avoided altogether. The following are what I consider to be the most interesting questions and potential responses pre-populated within the form:
This list of security controls is an odd combination of specific types of security controls (e.g. packet filtering router) and general categories of security controls (e.g. physical/ logical access controls). I find inclusion of biometrics and the exclusion of two factor authentication (a more general category) unusual – the utility of biometric access controls relate more generally to creating systems of two factor authentication. Two factor authentication techniques are based on any two of the following three types of methods: something you know, something you are, and something you have. One common example of two factor identification is the use of a security token that generates a seemingly random number in combination with a pin and a password to authenticate a user. Biometric methods of identification, which include fingerprint scanners, facial recognition, and retinal scanners, are either too expensive to implement as a broad-based solution or are poor quality consumer oriented solutions.
In all, it is obvious what the hot button issues are that may get the enforcement body’s (Office of Civil Rights) attention and more importantly how to avoid them: (i) encrypting portable media, (ii) firewalls, (iii) proper document destruction procedures, (iii) the existence of a physical security plan, (iv) two factor authentication, and (v) antivirus.
The form should be filled out with diligence. The form contains an attestation that the information provided is accurate, and acknowledgement that the Office of Civil Rights (“OCR”) may be required to release information provided via the form pursuant to the Freedom of Information Act, some of the information will be posted to HHS’s web site, and tOCR will use the information to provide an annual report to Congress required by the HITECH Act.
Related Blogs
Related posts: