HHS reviewing OCR’s Wall of Shame

Beginning from 2009, the Department of Health and Human Services’ Office for Civil Rights has been publishing summaries of healthcare data breaches on its website, a list is often referred to as OCR’s ‘Wall of Shame’.

This list only gives a brief summary of data breaches, including the name of the covered entity, the state in which the covered entity is located, covered entity type, date the notification was made, type of breach, location of breach information, whether a client was involved and the number of individuals the breach affected.

The list includes all reported data breaches. It includes those which happened due to no fault of the healthcare organization. The list is not a complete record of HIPAA violations as those are ruled on during OCR investigations of breaches.

Rep. Michael Burgess (R-Texas), who recently criticized OCR about its data breach list believes making brief details of the data breaches accessible to the public is an ‘unnecessarily punitive’ measure.

Burgess was advised at a cybersecurity hearing recently that HHS secretary Tom Price is currently reassessing the website and how the information is made available to the public.

While the publication of information is being investigated, the publication of breach summaries is a necessity of the HITECH Act of 2009. Any steps taken to stop publishing breach summaries on the website would require assistance from Congress. However, there is some potential for changes be made as to how the information displayed and the duration that it is made available. HITECH Act only requires the information to be made available publicly. The ACT does not stipulate a specific length of time that the covered entity should remains on the list.

The logic behind the publication of breach information is to advise the public of data breaches and to provide some information on what has happened. If there was a time restriction placed on the length of time a covered entity stayed on the list, it would not be possible for a member of the public to deduce whether a breach was an once-off event or one of several suffered by a covered entity.

OCR Director Roger Severino released a statement confirming the relevance of the website saying, “The website provides an important source of information to the public, but we recognize that the format has become stale and can and should be improved”. He went on to explain “OCR will continue to evaluate the best options for communicating this information as we meet statutory obligations, educate the regulated community (and the public) on lessons learned, and highlight actions taken in response.”

Burgess informed Fierce Healthcare, “I am interested in pursuing solutions that hold hospital systems accountable for maintaining patient privacy without defaming systems that may fall victim to large-scale ransomware attacks, such as WannaCry.”

While all options are currently being considered, some privacy supporters argue that the breach portal does not go into adequate detail and suggest even more information should be uploaded to the site to better inform the public on exactly what has happened.