Following the passing of the HITECH Act in 2009, the Department of Health and Human Services’ Office for Civil Rights developed its data breach reporting tool to allow HIPAA-covered entities to easily submit reports of data breaches.
A summary of data breach reports is published via the data breach reporting tool and is viewable by the public. The data breach list – which is commonly known as OCR’s Wall of Shame – details all reported healthcare data breaches that impact more than 500 individuals.
While there have been updates to the data breach reporting tool since its release, the format of the data breach list has changed little over the years. An update to the portal, and how the information is displayed, was long overdue.
Recently there have been calls for OCR to change the information published on its website. Some privacy advocates argue that the information published should be expanded to provide further information on data breaches for the public. For instance, hacking and IT incidents are lumped together in the same category, even though the level of risk involved can vary considerably depending on the breach cause. A hacker could infiltrate a system and steal data or an employee could open a phishing email and inadvertently install ransomware. Both incidents would be indistinguishable, yet the level of risk to breach victims varies considerably.
Some people have expressed concern about the publication of breach reports, which remain on the list indefinitely. Rep. Michael Burgess (R-Texas) recently spoke out about this at a hearing addressing cybersecurity concerns. He claimed the breach list was ‘unnecessarily punitive,’ especially since many of the covered entities on the report had not violated any HIPAA Rules and had experienced breaches through no fault of their own.
OCR has listened to feedback about its data breach reporting tool and has now made some changes to how the information is presented. Rep. Burgess is likely to be disappointed that all data breaches are still accessible, although they have been separated into historic breaches and incidents that are still being investigated by OCR.
OCR says the “Revised web tool that puts important information into the hands of individuals, empowering them to better identify recent breaches of health information and to learn how all breaches of health information are investigated and successfully resolved.”
OCR also explains the benefits of the tool, saying it “Helps educate industry on the types of breaches that are occurring, industry-wide or within particular sectors, and how breaches are commonly resolved following investigations launched by OCR, which can help industry improve the security posture of their organizations.”
The new features added in the latest update include tips for consumers, an improved method of navigation, a new archive where historic breaches are located along with breaches where OCR has investigated and closed the investigations. The tool also separates data breaches which are currently being investigated by OCR that have been reported in the past 24 months.
Further changes will be made to the data breach reporting tool in time with new functions and features added based on feedback received from stakeholders.