HHS Tweaks Infamous Health Data Breaches ‘Wall of Shame’
Rumored changes to the infamous health data breach “wall of shame” were announced recently by US Department of Health and Human Services (HHS) Secretary Tom Price, and they were more muted than some industry observers were predicting earlier this summer.
The HIPAA Breach Reporting Tool (HBRT), also known to some as the “wall of shame,” is a website mandated by the 2009 HITECH Act, and is the web portal where the HHS Office for Civil Rights (OCR) publishes a list of health data breaches affecting the health data of over 500 individuals. In April, a House of Representatives subcommittee held a hearing on the website to reevaluate its effectiveness in helping other providers understand how to better protect themselves from breaches.
The HBRT has always included information including: the name of the entity; state where the entity is located; number of individuals affected by the breach; the date of the breach; type of breach (e.g., hacking/IT incident, theft, loss, unauthorized access/disclosure); and location of the breached information (e.g., laptop, paper records, desktop computer).
Rep. Michael Burgess (R-Texas), a physician, worried that publishing the names of the providers with breaches was unnecessarily punitive, Fierce Healthcare reported. In a statement to that publication, Burgess noted that while he supports efforts to protect patient data, “I remain concerned by OCR’s usage of the Breach Portal and the public exposure of victims. I am interested in pursuing solutions that hold hospital systems accountable for maintaining patient privacy without defaming systems that may fall victim to large-scale ransomware attacks, such as WannaCry.”
Updates to the HBRT, according to a statement from Price, include:
- Enhanced functionality that highlights breaches currently under investigation and reported within the last 24 months
- New archive that includes all older breaches and information about how breaches were resolved
- Improved navigation to additional breach information
- Tips for consumers
HHS stated that it plans to expand and update the site over time.
As former OCR officials noted about the tool back in June, HHS is limited in the ways it can change the HBRT by Congress. HITECH required OCR to make information on data breaches available to the public, though how exactly they do so is still up for debate.