Yesterday, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) announced the launch of a newly revised HIPAA Breach Reporting Tool. The tool, commonly referred to as the “Wall of Shame,” is a publically available listing of reported breaches of unsecured protected health information (“PHI”) affecting 500 or more individuals.
History/Origination of the Wall of Shame. The HIPAA Breach Reporting Tool was first released in 2009 as a requirement of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. According to OCR, the revised tool: (1) helps individuals to better identify recent breaches and learn how all HIPAA breaches are investigated and successfully resolved and (2) educates the industry on the types of breaches that are occurring and how they are commonly resolved. The tool is meant to empower individuals as well as educate the industry to improve the security posture of their organizations.
New and Improved Wall of Shame Features. The “Wall of Shame” we are familiar with identifies name of the entity, state where the entity is located, number of individuals affected by the breach, date of the breach, type of breach (e.g., hacking/IT incident, theft, loss, unauthorized access/disclosure), and location of breached information (e.g., laptop, paper records, desktop, network server). It now distinguishes between (1) breaches reported within the last 24 months that are currently under investigation (with 354 listed breaches) and (2) achieved breaches (i.e., resolved breaches and reports older than 24 months) (with 1,653 listed breaches). It also now includes enhanced functionality, an archive with all older breaches and how they were resolved, improved navigation to additional breach information, and consumer tips.
Long Stay on the Wall of Shame. While the HITECH Act requires publication of breach summaries, it does not prescribe a length of time that the entities remain on the list. However, covered entities and business associates should be prepared for a long stay on the “Wall of Shame” with the expanded archive feature, which includes all “500 and over” breaches reported to OCR since October 2009.
More Information About Breaches. While breaches under investigation do not include additional information, the archive includes a “Web Description” with OCR’s summary of most incidents. The summaries outline PHI involved, entity’s breach notification and mitigation efforts, as well as OCR investigation and resolution. The descriptions will likely serve as a helpful learning tool for individuals and the industry on OCR’s process for resolution and technical assistance. However, the descriptions may also highlight certain facts and outcomes that entities would prefer to keep private or supplement in order to provide a full picture of the incident.
OCR also announced that it plans on expanding and improving the tool over time to add additional functionality and features based on feedback. For more information about breach investigations, the breach notification process, or security safeguarding measures generally, please contact the author or your von Briesen health law attorney.