The Department of Health and Human Services Office for Civil Rights (OCR) has begun posting lists of unsecured private health information (PHI) affecting 500 or more individuals that have been reported by covered entities on their Web site. Breach notification requirements were enacted under the HITECH Act (issued as part of the American Recovery and Reinvestment Act of 2009). These requirements issued in August 2009 became effective on September 23, 2009. These requirements call for covered entities to provide notification of unsecured PHI to HHS, affected individuals, and (under certain circumstances) to the media.
Under these requirements, covered entities must report breaches affecting 500 or more individuals to HHS without unreasonable delay and in no case later than 60 days following the breach. The information is to be reported using an online form available on the OCR website.
The HHS is required to make publicly available some of the information from the submitted form, including:
- Name of covered entity (or business associate involved),
- State where the covered entity is located,
- Approximate number of individuals affected,
- Date of the breach,
- Type of breach (e.g., theft, unauthorized access), and
- Location of the breached information (e.g., computer, paper records, portable electronic device).
Click here to view the unsecured private health information (PHI) that covered entities have reported.
