Health Information Compliance Alert

Industry Notes:

Theft Tops List of HIPAA Breaches, HHS Report Notes

Just because HIPAA breaches don't make the nightly news doesn't mean they aren't happening -- and in large numbers, a new report indicates.

The HHS Office of Civil rights received 207 reports of HIPAA breaches that involved 500 or more individuals during 2010, which resulted in about 5.4 million individuals being affected by large breaches, according to the Annual Report to Congress on Breaches of Unsecured Protected Health Information, which was released last week.

The top five causes of incidents were theft, loss of electronic media or paper records containing protected health information (PHI), unauthorized access to use (or disclosure) of PHI, human error, and improper disposal.

The largest reported theft affected approximately 1.9 million individuals, and involved the theft of backup tapes that contained electronic medical records that were being transported to a vendor's site. Many of the additional breaches involved the theft of laptops.

Smaller breaches: More than 25,000 incidents of smaller breaches (each affecting fewer than 500 individuals) were reported to HHS in 2010, most of which involved misdirected communications -- for instance, a fax with test results was mistakenly sent to the wrong person, the report indicates.

In response to the breaches, medical practices tightened up their security systems to ensure that future issues don't occur. To read the complete report, visit www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachrept.pdf.

Tricare HIPAA Breach Could Affect 4.9 Million Patients

Recent spotlights on HIPAA breaches have shown just how many people can be impacted by one privacy slip-up, and the latest incident underscores that point. Tricare, the massive U.S. military insurer, announced last week that backup tapes from an electronic health care record went missing while in the possession of a contractor, putting about 4.9 million San Antonio-area military clinic and hospital patients at risk of a privacy breach.

According to the statement, the information on the tapes included patient data from 1992 through Sept. 7, 2011, and "may include Social Security numbers, addresses and phone numbers, and some personal health data such as clinical notes, laboratory tests, and prescriptions." However, the tapes contained no financial data.

Despite the sensitive information stored on the missing tapes, the government ranks the risk of harm to patients as low because anyone attempting to access the data would have to be proficient in specific hardware and software systems. The government will not be notifying all patients who have been identified as being on the tapes, and will not provide credit monitoring and restoration services, due to the low risk that the government has assigned to the situation.

For more information, visit www.tricare.mil/mybenefit/Download/Forms/DataBreach_PublicStatement.pdf.

Tighten Up Your Patient Privacy Practices

If you live in certain states, you may need to tighten up your patient privacy practices. "California and Texas have both significantly expanded statutes that require notifications in the event of a data breach," warns law firm Sidley Austin in an update on its website. Texas also created "significant new protections for health information," Sidley notes.

The new California law mandates notification to the California Attorney General when a breach involves more than 500 Californians, Sidley explains. The law also contains new content requirements for notification letters.

Under Texas' new law, providers now must notify affected Texans plus affected residents of other states that lack breach notification laws, Sidley says. The notification of other states' residents is "novel," the law firm observes.

Remember: Stricter state law requirements trump federal HIPAA rules, legal experts point out.

Use This New Hospice Cost Report Form

Get ready to revamp the way you fill out your hospice cost report for Medicare. The Centers for Medicare & Medicaid Services has issued a new hospice cost report form that has the cost centers renumbered, according to Transmittal No. 9 issued Sept. 21. The change aims to "to avoid duplicate data collection subscripts," notes the National Association for Home Care & Hospice.

The revisions are just the latest changes to the hospice cost report form. In June, CMS issued a transmittal instituting the term "inpatient general care costs," and adding a new section to capture the drug, durable medical equipment/oxygen, and medical supply costs relating to inpatient general care services. The changes are effective for cost reports filed for years ending July 30, 2011, or later.

Note: The transmittal is online at www.cms.gov/Transmittals/2011Trans/list.asp -- scroll down to the "R9P238" entry on Sept. 21.