In the recently-released fiscal 2012 budget for HHS, a dirty little
secret has been acknowledged: the Office of Civil Rights does not
have the resources to review all reported breaches of health
information. In fact, if you have a breach that impacts up to 499
people, you are unlikely to hear from OCR at all:
Current OCR practice is to validate, post to the HHS website, and
subsequently investigate all breach reports that impacted more than
500 individuals.
Breach reports that impacted fewer than 500 individuals are compiled
for future reporting
to Congress; however they are treated as discretionary and only
investigated if resources
permit.
While this prioritization makes a certain amount of sense, it leaves
the vast majority of breaches unreviewed. According to that same
budget report, "[a]s of September 30, 2010, OCR has received a total
of 9,300 breach reports (191 impact more than 500 individuals and
9,109 impact less than 500 individuals)." That's a mere 2% of all
breaches that have OCR's full attention. The takeaway from this is to
count your breaches carefully before reporting, as there seems to be a
real benefit to being able to report an impact on less than 500
individuals.
No comments:
Post a Comment