OCR planning breach portal shake-up?

Posted: Jun 22, 2017
Share This:

Security ThreatsFor the past 9 years, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has published all reported breaches of unsecured protected health information (PHI) affecting 500 or more individuals on its Breach portal – more commonly referred to as the “wall of shame” – as required by section 13402(e)(4) of the HITECH Act.

The public portal allows anyone to access up to date data breach information – including the name of the company affected, its location, covered entity type (Healthcare provider, Health plan, or Business Associate), breach submission date, type of breach, location of breach, and the number of individuals affected – which makes it a useful tool for individuals affected by the breaches, or looking to gain insights into healthcare data breach trends more generally.

However, given its controversial subject matter and potential to further damage the reputation of affected organizations, not everyone is so supportive of the website. This was highlighted in a recent FierceHealthcare article, in which it was reported that HHS is considering making changes to the portal, following concerns raised by senior government officials.

The article references a healthcare cybersecurity hearing which took place in June, during which an exchange between Leo Scanlon, deputy chief information security officer at HHS, and Michael Burgess (R-Texas) revealed that HHS Secretary Tom Price is “reassessing” the portal. This followed a conversation that took place during an April subcommittee, when Burgess criticized the portal for being unnecessarily punitive.

Burgess expressed concern that making all breach information publically available is unfair to entities that are attacked through no fault of their own. Speaking to FierceHealthcare on the matter, Burgess said “I am supportive of efforts to protect patient information. However, I remain concerned by OCR’s usage of the Breach Portal and the public exposure of victims. I am interested in pursuing solutions that hold hospital systems accountable for maintaining patient privacy without defaming systems that may fall victim to large-scale ransomware attacks, such as WannaCry.”

We suspect this a view shared by many – not least the unfairly penalized entities – however because of HHS’ requirement to publish breach information under the HITECH Act, it’s hands are essentially tied. But that isn’t to say there isn’t scope for change in the way HHS manages the data, as the agency has ultimate control over the portal itself, meaning companies could be listed on the portal for a set amount of time, before being taken down, for example. While this would certainly be welcome news to those listed on the portal, others argue it would undermine the portal’s overall objective; to help the public understand why and how a data breach occurred.

In responding to recent criticism of the portal, OCR Director Roger Severino acknowledged that the format has become “stale and can and should be improved” and that OCR will “continue to evaluate the best options for communicating this information as we meet statutory obligations.”

Is change on the horizon? Watch this space. For more information check out the original article at www.fiercehealthcare.com.