Health knowledge made personal
Join this community!
› Share page:
Search posts:

CalOptima reports potential loss of claims data....A Breach Notification?

Posted Oct 27 2009 11:01pm

Lawofc Link: Health Data Management Article: Medicaid Payer Gives Breach Notification

Thanks to HISTalk for this post..

"CalOptima reports that its claims imaging vendor, ImageNet, accidentally sent out unencrypted DVDs that contained claims from 68,000 of its members. The DVDs were sent to CalOptima via certified mail, but never reached CalOptima. CalOptima actually posted this information and identified ImageNet on itshome page."

CalOptima calls it the "potential loss of past medical claims information for approximately 68,000 of its members that was stored on electronic media devices." CalOptima reported that the information  potentially breached included: member names, home addresses, dates of birth, medical procedure codes, diagnosis codes and member identification numbers, including some Social Security numbers. CalOptima provided a toll free number for their members to call.

It will be interesting to see how this situation develops.

Regardless of how you analyze it, this magnitude of a breach requires implementation of the Breach Notification Rules that went into effect September, 2009. The HITECH Act, Section 13402 rules call for:

  • Notification to individuals whose PHI was breached.
  • Notification to media outlets serving the state or jurisdiction, if unsecured PHI of more than 500 individuals is believed to have been disclosed.
  • Posting on HHS Public Website.

Notification must include:

  • A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known.
  • A description of the types of unsecured protected health information that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
  • The steps individuals should take to protect themselves from potential harm resulting from the breach.
  • A brief description of what the covered entity involved is doing to investigate the breach, to mitigate losses, and to protect against any further breaches.
  • Contact procedures for individuals to ask questions or learn additional information, which shall include a toll free telephone number, an e-mail address, Web site, or postal address.

HSGLogo For more information on HITECH / HIPAA Privacy and Security Rules go to The HIPAA Survival Guide website or sign up for Digital Business Law Group's free monthly compliance newsletter. Discussion/Social Networking sites containing information regarding the HIPAA Survival Guide include Facebook and LinkedIn groups.

Note: We will start conducting HITECH / HIPAA Risk Management Webinars beginning in January, 2010 that may also be of interest. These webinars will be managed as a forum of "round-table" discussions on the pertinent issues, with many opportunities for audience participation and questions.

Post a comment
Write a comment: