Simplified Training Solutions

HHS Posts List of Covered Entities Reporting Breaches of Protected Health Information Affecting More than 500 Individuals

February 22, 2010

Today OCR has posted on its website a list of the covered entities that have reported breaches of unsecured protected health information affecting more than 500 individuals. By posting this information on the OCR website, OCR has met its HITECH Act obligation, which required HHS make this information public by posting it on an HHS website.

Section 164.408 of the breach notification interim final rule, which implements section 13402(e)(3) of the HITECH Act, became effective on September 23, 2009. This section requires covered entities to provide notification of breaches of unsecured protected health information directly to the Secretary of HHS. Breaches that affected 500 or more individuals must be reported to HHS within 60 days, and covered entities must provide this notification via the online form on the OCR website.

HHS is obligated, pursuant to section 13402(e)(4) of the HITECH Act, to post on its website a list of the covered entities that have reported breaches affecting more than 500 individuals. The list of the covered entities that have reported such breaches, along with other relevant information about each breach, is available athttp://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html. OCR verifies all information with the covered entity reporting the breach prior to posting. OCR will continue to update this page as we receive new reports of breaches of unsecured protected health information.

For more information, visit the OCR website at http://www.hhs.gov/ocr/privacy/

Close Window

IMMEDIATE RELEASE		CONTACT: PHONE: DATE:	Rob Karn 919.821.9192 10.22.2010
HHS Posts List of Covered Entities Reporting Breaches of Protected Health Information Affecting More than 500 Individuals February 22, 2010 Today OCR has posted on its website a list of the covered entities that have reported breaches of unsecured protected health information affecting more than 500 individuals. By posting this information on the OCR website, OCR has met its HITECH Act obligation, which required HHS make this information public by posting it on an HHS website. Section 164.408 of the breach notification interim final rule, which implements section 13402(e)(3) of the HITECH Act, became effective on September 23, 2009. This section requires covered entities to provide notification of breaches of unsecured protected health information directly to the Secretary of HHS. Breaches that affected 500 or more individuals must be reported to HHS within 60 days, and covered entities must provide this notification via the online form on the OCR website. HHS is obligated, pursuant to section 13402(e)(4) of the HITECH Act, to post on its website a list of the covered entities that have reported breaches affecting more than 500 individuals. The list of the covered entities that have reported such breaches, along with other relevant information about each breach, is available athttp://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html. OCR verifies all information with the covered entity reporting the breach prior to posting. OCR will continue to update this page as we receive new reports of breaches of unsecured protected health information. For more information, visit the OCR website at http://www.hhs.gov/ocr/privacy/ Close Window