OCR’s “Wall of Shame” Under Scrutiny

The Office for Civil Rights’ “Wall of Shame” was established in December 2009. This data portal contained summaries of healthcare data breaches published on the website by OCR.

The list only provides a short synopsis of data breaches that involved more than 500 documents. The information includes the name of the covered entity, the state in which the covered entity is based, covered entity type, date of notification, type of breach, location of breach information, whether a business associate was involved and the number of individuals affected.

The list fails to discriminate between breaches which occurred due to no fault of the healthcare organization and those which were the result of negligence on the organisation’s part. Therefore, list is not a record of HIPAA violations, as accidental breaches do not constitute violations.

Making brief details of the data breaches available to the public is an ‘unnecessarily punitive’ measure, according to Rep. Michael Burgess (R-Texas), who recently criticized OCR about its data breach list and its apparent condemnation of those who experienced accidental breaches.

Burgess was informed at a cybersecurity hearing last week that HHS secretary Tom Price is currently reassessing the website and how the information is made public.
While the publication of information is under review, the publication of breach summaries is a requirement of the HITECH Act of 2009. Any decision to stop publishing breach summaries on the website would require assistance from Congress. However, it is possible for changes be made to how the information displayed and for how long the information is made available. HITECH Act only requires the information to be published; it does not explicitly mention for what length of time that the covered entity remains on the list.

The reason behind the publication of breach information is to inform the public of data breaches and to them provide some basic information on the nature of the breach. If there was a time limit placed on the length of time a covered entity remained on the list, it would not be possible for a member of the public to determine whether a breach was an isolated event or one of several suffered by a covered entity.

OCR Director Roger Severino issued a statement confirming the usefulness of the website saying, “The website provides an important source of information to the public, but we recognize that the format has become stale and can and should be improved,” explaining “OCR will continue to evaluate the best options for communicating this information as we meet statutory obligations, educate the regulated community (and the public) on lessons learned, and highlight actions taken in response.”

Burgess told Fierce Healthcare, “I am interested in pursuing solutions that hold hospital systems accountable for maintaining patient privacy without defaming systems that may fall victim to large-scale ransomware attacks, such as WannaCry.”

In the case of the WannaCry attacks, the affected healthcare organizations are not entirely blameless for the breach occurring. The attacks would not have been possible had the organisation applied the appropriate patches promptly. However, in its current form, there would be no indication on the website that a covered entity had experienced a ransomware attack as the breach list does not go into that much detail.

While options are being considered, some privacy advocates argue that the breach portal does not go into nearly enough detail and suggest even more information should be uploaded to the site to better inform the public on the exact nature of a breach, taking care to inform them of whether or not the organisation could be blamed for it having occurred.