Collage of words
As of Aug. 22, 2011, there have been 306 major health information breaches, which have affected a total of almost 11.7 million individuals included in the official federal tally. Fourteen incidents affecting a total of about 270,000 were added since July 22.

The biggest incident added in recent weeks, which involved RxAmerica and Accendo Insurance Co., affected about 175,000. In that case, a mail formatting error caused certain personal information to be visible in an envelope window.

The Department of Health and Human Services' Office for Civil Rights lists breaches affecting 500 or more individuals dating back to September 2009. The list now includes about 49 incidents that occurred in 2011, affecting almost 3.4 million.

The theft or loss of various computer devices and media accounts for about 56 percent of all incidents on the tally. About 20 percent have involved a business associate.

The largest incident reported so far involved insurer Health Net and affected 1.9 million individuals. It stemmed from hard drives missing from a data center managed by IBM, its business associate. An executive at Health Net Oregon recently revealed that 130,000, rather than 124,000, residents of that state were affected. But the tally of the total number affected has not yet changed on the OCR list.

OCR began posting incidents to its breach list on Feb. 22, 2010, for cases dating back to Sept. 22, 2009, when the interim final version of the HITECH Breach Notification Rule took effect. The rule requires healthcare organizations to notify those affected by breaches of any size. Major incidents, defined as those affecting 500 or more individuals, must be reported to the Office for Civil Rights within 60 days. But breaches of information that's been encrypted using a specific standard do not have to be reported.

A final version of the HITECH breach notification rule, which could further clarify exactly what types of incidents need to be reported, is expected later this year as part of an "omnibus" package of several rules. The interim version contains a controversial "harm standard," which allows organizations to conduct a risk assessment to determine if an incident represents a significant risk of harm and, thus, must be reported.

We will keep you posted on any future developments on the HIPAA HITECH Rule.