HHS Posts List of Covered
Entities Reporting Breaches of Protected Health Information Affecting
More than 500 Individuals
February 22, 2010
Today OCR has posted on its website a list of the covered entities
that have reported breaches of unsecured protected health information
affecting more than 500 individuals. By posting this information on
the OCR website, OCR has met its HITECH Act obligation, which required
HHS make this information public by posting it on an HHS website.
Section 164.408 of the breach notification interim final rule, which
implements section 13402(e)(3) of the HITECH Act, became effective
on September 23, 2009. This section requires covered entities to provide
notification of breaches of unsecured protected health information
directly to the Secretary of HHS. Breaches that affected 500 or more
individuals must be reported to HHS within 60 days, and covered entities
must provide this notification via the online form on the OCR website.
HHS is obligated, pursuant to section 13402(e)(4) of the HITECH Act,
to post on its website a list of the covered entities that have reported
breaches affecting more than 500 individuals. The list of the covered
entities that have reported such breaches, along with other relevant
information about each breach, is available athttp://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html.
OCR verifies all information with the covered entity reporting the
breach prior to posting. OCR will continue to update this page as we
receive new reports of breaches of unsecured protected health information.
For more information, visit the OCR website at http://www.hhs.gov/ocr/privacy/