HHS reviewing OCR’s Wall of Shame

by | Jun 17, 2017

Beginning from 2009, the Department of Health and Human Services’ Office for Civil Rights has been publishing summaries of healthcare data breaches on its website, a list is often referred to as OCR’s ‘Wall of Shame’.

This list only gives a brief summary of data breaches, including the name of the covered entity, the state in which the covered entity is located, covered entity type, date the notification was made, type of breach, location of breach information, whether a client was involved and the number of individuals the breach affected.

The list includes all reported data breaches. It includes those which happened due to no fault of the healthcare organization. The list is not a complete record of HIPAA violations as those are ruled on during OCR investigations of breaches.

Rep. Michael Burgess (R-Texas), who recently criticized OCR about its data breach list believes making brief details of the data breaches accessible to the public is an ‘unnecessarily punitive’ measure.

Burgess was advised at a cybersecurity hearing recently that HHS secretary Tom Price is currently reassessing the website and how the information is made available to the public.

While the publication of information is being investigated, the publication of breach summaries is a necessity of the HITECH Act of 2009. Any steps taken to stop publishing breach summaries on the website would require assistance from Congress. However, there is some potential for changes be made as to how the information displayed and the duration that it is made available. HITECH Act only requires the information to be made available publicly. The ACT does not stipulate a specific length of time that the covered entity should remains on the list.

The logic behind the publication of breach information is to advise the public of data breaches and to provide some information on what has happened. If there was a time restriction placed on the length of time a covered entity stayed on the list, it would not be possible for a member of the public to deduce whether a breach was an once-off event or one of several suffered by a covered entity.

OCR Director Roger Severino released a statement confirming the relevance of the website saying, “The website provides an important source of information to the public, but we recognize that the format has become stale and can and should be improved”. He went on to explain “OCR will continue to evaluate the best options for communicating this information as we meet statutory obligations, educate the regulated community (and the public) on lessons learned, and highlight actions taken in response.”

Burgess informed Fierce Healthcare, “I am interested in pursuing solutions that hold hospital systems accountable for maintaining patient privacy without defaming systems that may fall victim to large-scale ransomware attacks, such as WannaCry.”

While all options are currently being considered, some privacy supporters argue that the breach portal does not go into adequate detail and suggest even more information should be uploaded to the site to better inform the public on exactly what has happened.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy