The U.S. Department of Health and Human Services (HHS)
Office for Civil Rights (OCR) website indicates that there were 1,100 data breaches
involving 500 or more records during the first nine months after the HIPAA
Omnibus Rule took effect on September 23, 2013.
They also noted that for every breach of 500 or more
records there were around 22 breaches of less than 500 records or approximately
24,200 breaches in 9 months.
He also cited estimates that only 2% or less of security
and privacy incidents actually get classified as a data breach so using simple
math we can project that there could be as many as 1.6 million incidents (not records, BREACH INCIDENTS!)
involving health data each and every year in the health care industry.
Devin goes on to say “Given this level of frequency of
incidents, I think that it isn’t a stretch to conclude that the management of
incidents – capturing the facts, assessing whether they are breaches, carrying
out regulatory notifications – is something that most larger organizations with
some health data are doing on a daily and weekly basis. But it hasn’t become a
“mission critical” function in most of these organizations. Something that is
carried out like other day-to-day operational functions. Like billing. Or
payroll. Yet, the privacy and security
of health data is one of the most highly regulated areas by federal and state
authorities. And regulators have become draconian in assessing fines,
penalties, and corrective action plans to organizations that can stand up to
their scrutiny, especially when there is a data breach.”
Have you examined your reporting process lately? What are you doing to make your reporting and reaction processes better?
No comments:
Post a Comment