Since the HITECH Act came into force in 2009, the Department of Health and Human Services’ Office for Civil Rights (OCR) has been publishing data breach summaries on its website. The website lists brief details of the type of data breach experienced by HIPAA-covered entities with information such as the cause of the breach, the devices that were involved, the number of individuals affected and the name of the company that experienced the data breach.
HITECH requires OCR to publish breach summaries; however, this element of HITECH has been criticized recently. While some privacy proponents suggest that the site does not go into enough detail on the breach and provides little useful information for the general public, others claim the permanent listing of breached entities on the site is unfair.
For example, if a covered entity experiences a data breach through no fault of its own, should a permanent record of that breach be listed on the portal? If a system is hacked, even though the covered entity had all appropriate protections in place, or a ransomware incident is experienced as the result of the actions of a single employee, should the breach remain on the portal forever? Rep. Michael Burgess, M.D., R-Texas believes the breach portal listings are “unnecessarily punitive,” and has voiced his concerns at a recent government hearing on cybersecurity.
It was also suggested that this approach may even impede threat sharing, as healthcare organizations may be reluctant to report breaches – ransomware incidents for example – fearing an OCR investigation. Burgess said, “I am interested in pursuing solutions that hold hospital systems accountable for maintaining patient privacy without defaming systems that may fall victim to large-scale ransomware attacks, such as WannaCry.”
HHS Secretary Tom Price has confirmed that he is looking into the issue and is taking the matter seriously. Changes to the breach report list could therefore be made.
However, since the breach list is a requirement of HITECH, any changes to the breach portal would likely need to the backing of Congress and certainly if the breach portal list were to be scrapped. That said, some changes could be made without approval from Congress, such as changing the length of time that data breaches are displayed on the site. The HHS also has some control over the information posted on the website.
OCR Director Roger Severino explained that “The website provides an important source of information to the public, but we recognize that the format has become stale and can and should be improved.”
The purpose of the list is to keep the public informed about healthcare data breaches, so any limit on the time a breach report is displayed or any reduction in the information listed on the site has potential to undermine that objective.
There are good arguments on both sides and it is therefore likely that some changes will be made. Only time will tell what those changes will be.