In June 2017, the Department of Health and Human Services (HHS) confirmed it was contemplating updating its data breach portal. This section is commonly referred to as the OCR ‘Wall of Shame’, as all data breaches which have involved 500+ records are listed on the breach portal.
This list is maintained due to section 13402(e)(4) of the HITECH Act. This section requires OCR to maintain a public list of breaches of protected health information that have impacted more than 500 individuals on their website. As such, OCR have been updating this list since 2009.
The data breach list contacts a wide range of breaches. Some of the breaches may have been due to intentional violation of HIPAA, or violation due to lack of care by the organisation to implement strong security measures. However, many of these breaches occurred through no fault of the covered entity and involved no violations of HIPAA Rules, but rather because of hacking or ransomware attacks.
OCR has received some criticism for its breach portal for this very reason, Rep. Michael Burgess (R-Texas) most recently criticised the portal, saying the breach portal was ‘unnecessarily punitive’ in its current form.
For example, burglaries will occur even with reasonable physical security in place and even with appropriate controls in place, and rogue healthcare employees will access PHI out of curiosity or with malicious intent on occasion. Many in the industry consider it unfair for those breaches to remain on public display indefinitely alongside organisations who were deliberately in violation of HIPAA.
OCR Director Roger Severino said last month that “The website provides an important source of information to the public, but we recognize that the format has become stale and can and should be improved.”
While the HITECH Act requires OCR to maintain the portal, the Act does not specify for how long that information must be displayed. One popular suggestion of change would be the introduction of a time limit for displaying the breach summaries. There was concern from some privacy advocates about the loss of information from the portal, which would make it hard for information about past breaches to be found for research purposes or by patients whose PHI may have been exposed.
Some changes have already been made to the breach portal, which have gone live today. The breach portal now displays all data breaches that are currently under investigation by OCR. OCR investigates all reported data breaches impacting more than 500 individuals. Currently, the list shows there are 354 active investigations dating back to July 2015.
The order of the list has also been changed so the most recent breach reports are displayed first. This change has been praised as a much more convenient order for checking the latest organizations to report data breaches.
The OCR has decided to move data breaches that occurred more than 24 months ago, along with breach investigations that have now been closed, to an archive. The archive can still be accessed through the site and is searchable, as before.
Since recent data breaches could be in the archive or main list, it has potential to make research and searches more complicated. OCR has tackled this issue by offering a research report containing the full list of breaches dating back to 2009.
OCR says the new updated portal “Puts important information into the hands of individuals, empowering them to better identify recent breaches of health information and to learn how all breaches of health information are investigated and successfully resolved.”
The OCR has summarized the improvements made it its portal as such :
• Enhanced functionality that highlights breaches currently under investigation and reported within the last 24 months
• New archive that includes all older breaches and information about how breaches were resolved
• Improved navigation to additional breach information
• Tips for consumers
Further updates to the portal are expected to be made with the portal due to benefit from enhanced functionality and new features over time.