The largest of the breaches—the 409 so far involving more than 500 records each—were required by Congress to be publicly posted on the "wall of shame," a website kept by the Office of Civil Rights at HHS.
Susan McAndrew, deputy director of health information privacy at the civil rights office, reported the grim totals in a slide show at the 20th National HIPAA Summit this week in Washington.
What McAndrew left off her slides was that the 409 breaches exposed 19.2 million records. That number comes from the wall of shame. So far, the civil rights office hasn't released the reports of breaches involving fewer than 500 records, so we can't count how many records those exposed.
But, with the data we have, let's compare.
Last September, in the OCR's first breach report to Congress, there were more than 30,750 breaches, affecting the records of at least 7.9 million people. That report covered the last four months of 2009 and all of 2010. That's an average of about 1,925 breaches and roughly a half million records breached a month.
Back those numbers out of the latest totals and, for the 15 months in 2011 and 2012, the number of breaches dropped to an average of 1,280 or so a month, while the severity intensified, to an average of 753,000 records a month.
The civil rights office recently submitted to the Office of Management and Budget its so-called omnibus final rule on privacy and security. That rule should be released soon.
It will cover revisions to HIPAA in the American Recovery and Reinvestment Act as well as the Genetic Information Non-discrimination Act, which requires that genetic information be treated as "protected health information" under HIPAA, with the new wrinkle that it prohibits the use or disclosure of genetic information for underwriting by health insurance companies.
One of the many other issues the rule is expected to address is the "harm" standard that HHS rule writers had included in an earlier draft of the breach notification rule. HHS would have allowed the culprits in a breach to perform their own risk assessment and determine the likelihood of harm to the persons whose records they'd lost, stolen or otherwise misused. Only in those cases in which the culprit determined harm had been done would they have been required to notify the affected patients—sort of like putting the fox in charge of reporting on the damage it had done inside the hen house.
That inclusion drew the wrath of Congress, since legislators had considered and—wisely—rejected the concept.
Glad they did. Now, let's hope the new breach rule that HHS comes up with can help plug the sieves that are far too many healthcare organizations' record-keeping systems.
Follow Joseph Conn on Twitter: @MHJConn.