In June 2017, the Department of Health and Human Services confirmed it was considering updating its data breach portal – commonly referred to as the OCR ‘Wall of Shame’.
Section 13402(e)(4) of the HITECH Act obliges OCR to maintain a public list of privacy breaches of protected health information that have impacted greater than 500 individuals. All 500+ record data breaches made known to the OCR since 2009 are listed on the breach portal.
The data breach list includes a wide variety of privacy breaches, many of which happened through no fault of the covered entity and included no violations of HIPAA Rules.
OCR has been on the receiving end of some criticism for its breach portal due to this reason, most recently from Rep. Michael Burgess (R-Texas) who said the breach portal was ‘unnecessarily punitive’ in its current state.
For example, burglaries will always occur even with adequate physical security in place and appropriate other controls in place. Additionally, rogue healthcare employees will access PHI out of curiosity or with inappropriate intent from time to time and with some consider it unfair for those breaches to remain on public display with no expiration.
OCR Director Roger Severino stated in June that “The website provides an important source of information to the public, but we recognize that the format has become stale and can and should be improved.”
The HITECH Act requires OCR to have responsibility for the portal. However, the Act does not specify for how long that information must remain displayed. One potential aspect for change would be a time limit for displaying the breach summaries. There was concern from privacy supporters about the potential for losses of information from the portal, which would make it difficult for information about past breaches to be discovered for research purposes or by patients whose PHI may have been made public.
Alterations have been made to the breach portal. The breach portal now shows all data breaches that are currently under review by OCR. OCR looks into all reported data breaches that impact more than 500 individuals. Presently, the list shows there are 354 active reviews dating back to July 2015.
The order of the list has also been altered so the most recent breach reports are displayed at the top – making it more convenient for checking the latest organizations to report data and privacy breaches.
Data breaches that were made known to the OCR more than 24 months ago along with breach investigations that have now been closed off have not been lost, instead they have been moved to an active archive. This archive can be accessed through the site and is completely searchable, as before.
OCR has stated that the new updated portal “Puts important information into the hands of individuals, empowering them to better identify recent breaches of health information and to learn how all breaches of health information are investigated and successfully resolved.”
Other improvement stated by OCR are:
- Better functionality that highlights breaches currently under review and reported within the last 24 months
- The addition of an archive that includes all older breaches and information about how breaches were settled
- Improved website navigation to additional breach information
- Tips and advice for consumers
More updates to the portal are to be made with the portal due to benefit from better functionality and new website features over time.