Provisions in the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was part of the stimulus package passed in February, created new security and breach rules for those covered by HIPAA (the Health Insurance Portability and Accountability Act of 1996), but afforded everyone a six-month window to achieve full compliance that runs into 2010.
Nonetheless, a Medicaid payment processor in California named CalOptima has mostly complied with the breach rule after the company discovered the loss of claims forms for some 68,000 persons. The digitized forms contained personally identifying information on the 68,000 and were lost during shipment by the United States Postal Service.
CalOptima has posted a breach notification on its Web site and also has notified federal and state agencies. The company says it will also notify each of the 68,000 affected individuals. The postal service, for its part, says it will continue to search for the missing data disks.
It is unclear whether CalOptima also notified the media of the breach, which is required when a data loss affects 500 or more people.
Employers who offer health insurance are covered by both HIPAA and the new breach rule, so you may want to sign up for Personnel Concepts’ HIPAA Compliance Poster and Subscription Service to keep yourselves and your employees informed of all rights and responsibilities.
POSTSCRIPT: The missing CDs with encrypted data later were found at a secure postal facility in Atlanta, apparently untampered with. CalOptima subsequently scrapped its plan to mail out individual breach notices to the 68,000 affected individuals.