HHS Looking Into OCR’s Wall of Shame Following Criticism

The Department of Health and Human Services’ Office for Civil Rights started publishing OCR’s ‘Wall of Shame’ – summaries of healthcare data breaches – on its website in 2009.

The data breach list only includes a short synopsis of data breaches, including the name of the covered organization, the state in which the covered organization is based, covered organization type, date of notification, type of violation, location of breach information, whether a business associate was involved and the number of people/subcrivers affected.

The list includes all officially submitted data breaches, including those which occurred due to no fault of the healthcare body. The list is not a complete record of HIPAA violations. Those are determined during OCR examinations/reviews of breaches.

Rep. Michael Burgess (R-Texas) recently criticized OCR about its data breach list saying that making brief details of the data breaches view-able to the public is an ‘unnecessarily punitive’ measure.

Burgess was told, at a cybersecurity hearing recently, that HHS secretary Tom Price is currently looking into the website and how the information is made accessible to everyone.

While the publication of information is being reviewed, the publication of breach summaries is a necessity of the HITECH Act of 2009. Any steps taken to stop publishing breach summaries on the website would require cooperation from the US Congress. However, it is possible for alterations be made to how the information displayed and for how long the information remains available. HITECH Act only requires the information to be published. It does not state the exact length of time that the covered entity remains on the list.

The reason behind the publication of HIPAA breach information is to inform the public of data breaches and to provide some background information on what has occurred. If there was a time limit placed on the length of time a covered organization remained on the list, it would not be possible for a member of the public to determine whether a breach was an one-time event or one of several suffered by a covered entity.

OCR Director Roger Severino issued a statement supporting the usefulness of the website saying, “The website provides an important source of information to the public, but we recognize that the format has become stale and can and should be improved,” explaining “OCR will continue to evaluate the best options for communicating this information as we meet statutory obligations, educate the regulated community (and the public) on lessons learned, and highlight actions taken in response.”

Burgess commented to Fierce Healthcare, “I am interested in pursuing solutions that hold hospital systems accountable for maintaining patient privacy without defaming systems that may fall victim to large-scale ransomware attacks, such as WannaCry.”

As was the case with the WannaCry attacks, healthcare groups may not be faultless. The cyber attacks were only possible as patches were not applied promptly. However, in its current state, there would be nothing on the website to make it clear that a covered organization had experienced a ransomware attack as the breach list does not go into that much detail.

While alternative options are being considered, some privacy sponsors feel that the breach portal does not go into enough detail and argue even more information should be published on the site to better inform the public on HIPAA breaches.

Author: Maria Perez