The act outlines:
Another interesting aspect of this ruling is that breaches of unsecured protected health information, over 500 or more individuals, must be posted by the Secretary. Those postings are located on the U.S. department of Health and Human Services website.
This Breach Notification Portal offers a list of all the breaches. The information is filtered by default for breaches over the last 24 months.
A quick history of HIPAA enforcement:
Types of breaches, in the last 24 months in Washington State
Note: This is only for Washington state, only includes the last 24 months, and does not include the names of the companies in this table. If you’d like to see the names just logon to the site. You’ll recognize several of the names.
You will find a variety of example types of medical organizations on the list. This included small and large organizations:
As we reported in our blog article Clinic Hacking, Digital records have a $500 retail street value. In the past medical organizations assumed they were too small and didn’t need to worry. We can see from this list that clinics as have been fined losing as little as 569 records. Hackers are seeing even small clinics as a target. Every company needs to focus on cyber security.
The first step
The next step is to build a team. The first member of the team will be the Privacy Officer.
Contact us here if you need more information or help with business processes and tools to protect your organization to avoid being on the HHS Breach Portal (Also referred to as the Hall of Shame.)