This blog has been following how requirements under the HIPAA/HITECH statutes and regulations for public disclosure of security breaches of Protected Health Information (“PHI”) have brought to light a continuing flow of breaches of PHI involving highly respected and sophisticated providers and insurers.
On November 21, 2010, a posting on this blog discussed a PHI security breach involving Henry Ford Health System (“Henry Ford” or the “health system”).
The blog posting observed that the disclosure by Henry Ford on its Web site did not divulge the number of patients affected by the security breach. As discussed in the posting, the required time frame for the health system to notify the U.S. Department of Health and Human Services (“HHS”) is the same as that for notifying affected patients; therefore, the HHS Web site that lists breaches of unsecured PHI affecting 500 or more individuals would soon reveal the number of affected patients. Indeed, a visit today to the HHS Web site reveals that the Henry Ford security breach is now listed and that the breach affected 3,700 patients.
It is somewhat perplexing as to why the health system would have chosen not to have reported the number of affected patients on its own Web site. While every PHI security breach is costly and makes providers and insurers potentially vulnerable to embarrassment, criticism and diminished reputation, proactive transparency assists in rehabilitating relations with clients and the public.