OCR to Seek Feedback from HIPAA-Regulated Entities on HIPAA Breach Reporting Process

The Government Accountability Office has published the findings of a report that assessed the breach reporting requirements for entities covered by the Health Insurance Portability and Accountability Act and the extent to which the HHS has implemented ‘recognized security practices.’

The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 introduced breach notification requirements for HIPAA-regulated entities and was the basis of the HIPAA Breach Notification Rule. Under that Rule, HIPAA-covered entities are required to issue notification letters to individuals whose protected health information (PHI) has been impermissibly disclosed and when there was more than a low risk that their PHI has been impermissibly accessed. The HIPAA Breach Notification Rule also requires HIPAA-regulated entities to notify the Secretary of the Department of Health and Human Services about breaches of PHI.

As required by the HITECH Act, the HHS developed a mechanism to allow breaches to be reported – The Breach Portal on the HHS website. The HHS was also required to publish summaries of reported data breaches of 500 or more healthcare records. The Breach Portal became known as the HIPAA Wall of Shame.

The main aims of the HITECH Act were to improve quality, safety, and efficiency in healthcare, ensure privacy and security, improve care coordination, increase patient engagement, and improve the health status of the population through the use of health information technology. In January 2021, an amendment was made to the HITECH Act that introduced a partial HIPAA safe harbor for HIPAA-regulated entities that could demonstrate they had adopted recognized security practices. The amendment requires the HHS to consider the recognized security practices that have been in place continuously for the previous 12 months when making determinations during its HIPAA enforcement activities.

Recently, the Government Accountability Office (GAO) published a report detailing the findings of a study conducted into the breach reporting process set up by the HHS. GAO had been requested to review the requirement for HIPAA-regulated entities to report data breaches to the HHS and studied HHS policies, procedures, and documentation, reviewed privacy and information security laws, conducted interviews with officials at the HHS’ Office for Civil Rights, and surveyed HIPAA covered entities and business associates. GAO also investigated the extent to which HHS has established a review process to assess whether covered entities had implemented recognized security practices.

GAO found that the HHS met its obligations with respect to recognized security practices, having issued a request for information on this new requirement from the public and implementing standard operating procedures for its investigators. The process will be completed no later than the summer of this year.

With respect to the breach reporting requirements, GAO determined that the HHS had not implemented a mechanism for obtaining feedback from HIPAA-regulated entities on the breach reporting process. In order to improve that process, feedback is required from covered entities and business associates on how that process works and any challenges that are faced.

OCR concurred with the recommendation and will change the language on the email confirmations that are sent when HIPAA-regulated entities report data breaches to explain how feedback can be provided, and OCR regional offices will regularly review any feedback received. This will allow OCR to make improvements to the breach reporting process.