HHS Resource for HIPAA Breach Reporting Just Got BetterWith all the talk about the recently announced Equifax hack, concern about data breaches is in the air. And in terms of data worth protecting, it doesn’t get more sensitive than personal health information, which, of course, is the rationale behind the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

In late July, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) rolled out revisions to a 2009 resource intended to arm consumers with information about security breaches that may have impacted them. The newly improved HIPAA Breach Reporting Tool (HBRT) is intended for individuals seeking a listing of healthcare breaches, as well as for organizations who must comply with federal regulations and get the word out about the incidents.

HBRT: “source of information for concerned consumers”

“HHS heard from the public that we needed to focus more on the most recent breaches and clarify when entities have taken action to resolve the issues that might have led to their breaches,” said HHS Secretary Tom Price, M.D. in the agency’s press release. “To that end, we have taken steps to make this website, which features only larger breaches, a more positive, relevant source of information for concerned consumers.”

Additionally, the HBRT can serve as an educational resource for those working in the healthcare field since it can reveal patterns or trends in security breaches. This, of course, can lead to the development of more effective, targeted protection against hacking and theft.

The site demands transparency in PHI breaches

The Health Information Technology for Economic and Clinical Act (HITECH) required the OCR to create the first version of the HBRT eight years ago. When a healthcare office or clinic or facility is the victim of a security breach, and if that breach results in the theft or compromise of the protected health information (PHI) of 500 (or more) patients, the entity suffering the breach is required to report the incident to the OCR. The HBRT extends this OCR-reported information to the public.

Along with the name and state of the entity subject to a PHI breach, information also included on the HBRT site are: date of the incident, type of breach (theft, loss, unauthorized access/disclosure, or hacking/IT event), number of people impacted by the breach, and specific location of the compromised or stolen information (desktop computer, laptop computer, paper file).

Reporting tool was due for an IT overhaul; HHS expresses commitment to continued attention

But since much has changed in the world of technology since the launch of the HBRT, it was likely in great need of an update. The HHS’ press release explains that the site now has a section compiling information on all prior HIPAA breaches, including the specific steps taken to ameliorate the problem. The revised HBRT site also contains advice for consumers, and boasts “improved navigation” and quick access to the most recent breaches (those reported within the past two years and those still being investigated).

The HHS expressed its openness to feedback from visitors to the site, as it intends to continue to improve the HBRT with an eye on solid functionality and ease-of-use for consumers.

“The HBRT provides health care organizations and consumers with the ability to more easily review breaches reported to OCR,” said OCR Director Roger Severino in the HHS press release. “Furthermore, greater access to timely information strengthens consumer trust and transparency – qualities central to the Administration’s focus on a more innovative and effective government.”

This blog post is provided for educational purposes only and is not offered as, and should not be relied on as, legal advice. Any individual or entity reading this information should consult an attorney for their particular situation. For more information/questions regarding any legal matters, please email info@nelsonhardiman.com or call 310.203.2800.