HITECH Act Three Years Later – Are Health Records Safe?

Jorge Rey, CISA,CISM and Tyler Quinn, CISA,CPA | Press Release | July 24, 2012

In the second largest health information privacy settlement to date, the Alaska Department of Health and Social Services – the state’s Medicaid agency – recently agreed to pay $1.7 million to the U.S. Department of Health and Human Services (HHS) over possible violations of the HIPAA Security Rule.

It’s been almost three years since covered entities and business associates had to comply with the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification Rule. As of December 31, 2011, 407 data breach incidents were reported on the Department of Health and Human Services website. These incidents compromised the protected healthcare information of 19,134,403 individuals. The largest of these incidents resulted from the loss of a backup tape and exposed the information of 4,901,432 individuals in September 2011.

This white paper reviews and analyzes all of the breaches posted on the HHS website that occurred between January 1, 2010 and December 31, 2011 to provide helpful insight and information for healthcare organizations to develop their risk assessments. Covered entities and business associates can use this analysis as a “lessons learned approach” to identify potential problem areas and learn how to prevent future breaches.

Jorge Rey, CISA, CISM, is a Cybersecurity & Compliance Principal at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S.

Tyler Quinn, CISA, CPA, is a Assurance & Advisory Services Principal at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S.