HIPAA requires that any breach of unsecured PHI in violation of the privacy rule must be reported to the affected individuals and to HHS. When the breach affects 500 or more individuals, the notice to HHS must be made within 60 days following the breach. HHS maintains a list of reported breaches affecting 500 or more individuals that can be searched and sorted based on criteria such as the cause of the breach.
Currently the list consists of 89 pages, and using the number of pages needed to list each type of breach, it appears that the cause of the reported breaches are roughly weighted as follows:
Theft – 48% (See here for an example)
Unauthorized access/disclosure – 24% (See here for an example)
Loss – 12% (See here for an example)
Hacking/IT incident – 10% (See here for an example)
Improper disposal – 5% (See here and here for examples)
Interestingly, 60% of the reported breaches are from theft or loss. For any covered entity or business associate that is trying to prioritize its HIPAA compliance obligations, this analysis indicates that your efforts should be weighted towards performing a comprehensive security risk analysis. When performing the risk analysis, you may want to emphasize the analysis related to physical safeguards. Those safeguards will lead to the measures needed to protect your electronic PHI against theft and loss – the most frequent types of reported breaches.