The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 introduced new breach reporting requirements for HIPAA-regulated entities and called for the Secretary of the Department of Health and Human Services to create a mechanism for HIPAA-regulated entities to report breaches of protected health information. The HHS was also required to create and maintain a public-accessible list of breaches of protected health information that have affected 500 or more individuals. The breach portal became widely known as ‘the HIPAA Wall of Shame.’
One of the main aims of the HITECH Act was to encourage healthcare organizations to implement Health IT, such as electronic health record systems. Health IT has the potential to enhance healthcare delivery, improve collaboration through the sharing of patient information, and empower providers to make informed decisions about patients; however, Health IT can make healthcare data more vulnerable.
The HHS Breach Portal shows a marked increase in reported data breaches over the years, with only one year since the introduction of the breach reporting requirements that did not have a year-over-year increase in reported data breaches. In 2015, 270 breaches of 500 or more records were reported to the HHS’ Office for Civil Rights (OCR). In 2021, 714 breaches were reported. The HIPAA Security Rule requires HIPAA-regulated entities to implement appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. To encourage HIPAA-regulated entities to implement recognized security practices, an amendment was made to the HITECH Act in January 2021 that called for OCR to consider whether recognized security practices had been implemented continuously for the 12 months prior to a data breach occurring when making determinations in its enforcement activities.
The change introduced a partial HIPAA Safe Harbor, inasmuch as if recognized security practices were implemented, HIPAA-regulated entities would face less scrutiny over data breaches, and financial penalties for HIPAA violations would be reduced or avoided. Following the change, OCR sought feedback from healthcare industry stakeholders and the public on the implementation of recognized security practices, and that process is due to be completed this summer.
The Government Accountability Office (GAO) recently conducted a study to review the required reporting of data breaches to the HHS, assess the extent to which the HHS has established a process to determine whether recognized security practices have been implemented, and determine the extent to which improvements can be made to the current data breach reporting requirements.
As part of this study, GAO reviewed privacy and information security laws, analyzed HHS documentation, policies, and procedures, conducted interviews with OCR officials, and surveyed HIPAA-regulated entities. GAO confirmed that the HHS has taken sufficient action regarding the implementation of the HITECH Act changes regarding recognized security practices but made one recommendation regarding the breach reporting process.
OCR has implemented a mechanism that HIPAA-regulated entities use for reporting data breaches but has not developed or implemented a method for HIPAA-regulated entities to provide feedback on the breach reporting process, and GAO found that OCR had no plans to develop such a method. Unless a clear mechanism exists for providing feedback to OCR, HIPAA-regulated entities could face challenges with the reporting process, and those challenges would likely remain unaddressed. GAO recommended OCR develop a process for soliciting feedback on the breach reporting process, as this would enable OCR to identify any challenges and improve the reporting process.
OCR concurred with the recommendation and will include language in the confirmation emails sent to HIPAA-regulated entities that report breaches on how they can submit feedback on the breach reporting process. OCR will also implement procedures at OCR regional offices for regularly reviewing submitted feedback.