As required by law, the Department of Health and Human Services (HHS) has begun publicly listing breaches of private health information (PHI), generally in medical records, when the breach totals 500 or more individuals.

Though breach notification rules under HITECH (Health Information Technology for Economic and Clinical Health Act) went into effect in September 2009, a grace period provided HHS (and the FTC in cases involving vendors) with a window of discretion. Consequently, when the grace period expired on Feb. 22, HHS began posting breaches involving 500 or more individuals.

According to HITECH regulations, breaches involving 500 or more people must be reported immediately, but breaches involving fewer than 500 persons need only be reported annually.

The breach notifications are available here on the HHS Web site.

What I found a bit curious about the list is a series of five thefts/unauthorized accesses occurring on Sept. 27 at a "private practice" in Torrance, Calif. The list of breaches involves, in succession, 6,145, 5,166, 5,257, 857, and 952 individuals, but the question lingers about why they were listed separately. My conclusion is that the theft/unauthorized access occurred at roughly the same time, but involved five different sets of records. It would be hard to imagine five separate occasions of theft involving the same private practice on the same day. However, anything is possible.

For your convenience and compliance, Personnel Concepts has compiled all HITECH breach regulations into one compact but comprehensive HITECH Act Security Rule Poster. Get yours today so your employees know their rights and responsibilities under HITECH.