Accordingly to the last report of the US Government Accountability Office (GAO), HHS has been called on to improve the healthcare data breach reporting process. GAO asked HHS to establish a special mechanism for entities to provide feedback on the data breach reporting process. The situation was caused by the results of studying the number of breaches reported to HHS since 2015. GAO analyzed the extent to which HHS established a review process to assess a covered entity’s security practices. They assessed improvement opportunities relating to breach reporting requirements
Data Breach Reporting Process
The HHS Office for Civil Rights (OCR) is primarily in charge of enforcing and implementing the HIPAA Security Rule, the HIPAA Privacy Rule, and the HIPAA Breach Notification Rule. Moreover, it deals with the development and management of the healthcare breach reporting process. Their portal has a list of more than 500 individuals that faced data disclosure. It shows that the reported breaches have been increasing rapidly over the past few years.
OCR’s experts consider that the number of reported breaches may be correlated with increasing IT-related crimes such as ransomware attacks and business email compromises. In 2015, GAO’s analysis showed, that there were 270 healthcare data breaches with more than 500 victims. In 2021, covered entities and their business associates reported a total of 714 breaches impacting more than 500 individuals.
The health care providers may have reported the highest number of breaches because there are significantly more health care providers compared to other types of covered entities.
OCR’s Deputy Director for Health Information Privacy
However, the HHS still does not have a proper tool for providing meaningful feedback on the breach reporting process. Breach cases are increasing and covered entities and business associates may face challenges during the breach reporting process. The GAO reports that there is a deep need for a clear mechanism to provide feedback to OCR. Soliciting feedback will help OCR to improve or simplify aspects of the process. It may also decrease long lapses of communication during ongoing breach reporting investigations.
The OCR’s Breach Portal
Reporting an incident to OCR’s breach portal is just the first step in the breach reporting process. Once OCR is notified, an OCR regional office must verify the breach within 10 business days. Then the regional office initiates an investigation into the root cause of the breach. It should be confirmed that the impacted entity has notified the affected individuals.
The whole process of closing the investigation can vary depending on the results. HHS concurred with GAO’s recommendations and said it would begin soliciting feedback related to the breach reporting process. OCR either concludes that the entity took adequate steps to safeguard PHI. It determines that the entity did not secure PHI as required by HIPAA. If the latter occurs, OCR may impose a civil monetary penalty, help the entity correct deficiencies, or establish a corrective action plan.
Throughout this process, there is no formal way to provide feedback, GAO noted. If it experienced challenges during the process, an entity’s options scheduling a meeting, writing a letter to OCR, or emailing OCR’s publicly available email address. To advance these efforts, in March 2022, OCR finalized standard operating procedures for investigators to use when assessing these security practices.
OCR plans to finalize the review process for considering whether covered entities and business associates have implemented recognized security practices no later than the summer of 2022. If the office can complete the associated tasks in the expected timeframe, covered entities and business associates would have more information available on the process and in turn may be better equipped to prepare for OCR’s breach investigations.
The GAO report
