The Department of Health and Human Services' Office for Civil Rights has released statistics on health information breaches that show a total of 5.35 million Americans' records have been compromised in 192 data loss incidents since September 2009.
One of the most recent breaches at Keystone/AmeriHealth Mercy Health Plans involved over 280,000 records, including personally identifiable information, that were on an unencrypted sub drive that can not be found.
The number of health information breaches is generally on a downward trend according to data collected under the HITECH act mandates, and the majority are due to lost or stolen data storage devices.
According to the HITECH Act's breach reporting rules, all events that affect 500 or more records need to be reported, including notifications being sent to those whose information has been compromised within 60 days.
One-fifth of the breaches reported involved data loss events caused by business associates, a hot topic in HIPAA guidance.
Healthcare providers, insurance companies, and other entities charged with preserving sensitive healthcare data may be held responsible for breaches by their business associates.
It is the responsibility of the organization to make sure all business associates are HIPAA/HITECH compliant.