HIPAA Breaches Under Investigation Highlighted in OCR Data Breach Portal Update

In June 2017, the Department of Health and Human Services announced it was considering an update to its data breach portal, normally called the OCR ‘Wall of Shame’.

Section 13402(e)(4) of the HITECH Act states that the OCR must maintain a public list of breaches of protected health information that have affected more than 500 individuals. All 500+ record data breaches submitted or made known to OCR since 2009 are listed on the breach portal.

The data breach list contacts a wide variety of violation, many of which happened through no fault of the covered organization and involved no breaches of HIPAA compliance rules.

OCR has been criticized for its breach portal due to this, most recently from Rep. Michael Burgess (R-Texas) who said the breach portal was ‘unnecessarily punitive’ in its current state.

An example given was that burglaries will happen even with reasonable physical security measures implemented and even with appropriate controls in place, rogue healthcare workers will access PHI out of curiosity or with bad intent on occasion, with some feeling it unjust for those breaches to stay on public view indefinitely.

OCR Director Roger Severino said during June 2017 that “The website provides an important source of information to the public, but we recognize that the format has become stale and can and should be improved.”

While the HITECH Act requires OCR tocontrol the portal, the Act does not state for how long that information must be kept on view. One possibility for improvement would be a time limit for displaying the violation summaries. There was some worry from privacy advocates about the loss of data from the portal, which would make it hard for information about past violations to be found for research purposes or by patients whose PHI may have been exposed.

Alterations have been made to the breach portal which have been published today. The breach portal now shows all data breaches that are currently under review by OCR. OCR looks into all reported data breaches  affecting more than 500 people. Currently, the list shows there are 354 active reviews dating back to July 2015.

The order of the list has also been altered so the most recent breach reports are displayed at the top – a much improved order for checking the latest organizations to report data breaches.

Data breaches that were filed with the OCR more than two years ago along with breach investigations that have now been shut down have not been lost, instead they have been moved to a historical archive. The archive can still be accessed through the site and is searchable, as was the case previously.

Since recent data breaches could be either in the historical archive or main list, it has potential to make research and searches slightly more complicated. OCR has addressed this issue by offering a research report including a full list of breaches dating back to 2009.

OCR says the new redesigned portal “Puts important information into the hands of individuals, empowering them to better identify recent breaches of health information and to learn how all breaches of health information are investigated and successfully resolved.”

Other new features introduced by the OCR are:

  • Improves functionality that put the focus on breaches currently under review and reported within the last two years
  • New archive that stores all older violations and information regarding how breaches were settled
  • Clearer navigation to additional breach information
  • Guidance and advice for consumers

Additional updates to the portal are predicted to be released with the portal due to benefit from enhanced functionality and new sections.

Author: Maria Perez