On February 22, 2010, as required by section 13402(e)(4) of the HITECH Act, the Office of Civil Rights (OCR) website posted a list of the covered entities that have reported breaches of unsecured protected health information affecting more than 500 individuals. By posting this information on the OCR website, OCR has met its HITECH Act obligation, which required Health and Human Services (HHS) make this information public by posting it on an HHS website. The 36 impacted organizations are located around the country and run the gamut from the very small to one of the largest health plans in the country.
Although the majority of the breaches posted involved lost media and laptops, there were instances involving paper records, including several instances of mailings that included protected information. As well, there were a number of instances of hacking with a few involving compromises of business associates.
It remains to be seen whether this public display will shame companies into not losing laptops or being the victim of a theft. What is clear, however, is that having your name listed on a public site will open you up to more potential litigation expense.