Is Breach List Prominent Enough?Finding federal list is a chore
The Office for Civil Rights at HHS is responsible for compiling and posting the list, called for under the HITECH Act. To find the list of breaches requires five steps.
After entering the OCR web site, hhs.gov/ocr, a visitor must click on "Health Information Privacy," "HIPAA Administrative Simplification Statute and Rules," "Breach Notification Rule" and then, in the right margin, "View Breaches Affecting 500 or More Individuals."
To view the complete breach list, click here.
Is it prominent?
Asked about why the breach list is so deep within the OCR site, the office replied in an e-mail, "The OCR HIPAA privacy web site is one of the most visited web sites in the department, and the link to the new breach web site is prominently available from the home page."
The HHS home page, indeed, has a "Health Information Privacy (HIPAA)" link in the lower right margin. Visitors who click on that are linked to the OCR's "Health Information Privacy" page, which is three clicks away from the breach list.
One security consultant contends the approach OCR is taking does not live up to the Congressional intent in passing the HITECH Act. Congress intended for there to be an easily accessible "wall of shame" that consumers can use to identify organizations that have had major breaches, says Kate Borten, president of The Marblehead Group, a security consulting firm based in Marblehead, Mass.
"That web page is so buried that even people who knew it was there have had trouble finding it," Borten adds.
The HITECH Act, however, simply states that HHS must post on its web site a list of the major breaches. It does not specify precisely how or where the information must be posted.
For seven of the breaches, the site of the breach is only identified as "private practice" rather than the specific name of the organization. "Under current Privacy Act provisions, the Office of Civil Rights may not disclose the names or other identifying information about private practitioners without their written consent," the office said.
So far, the OCR has added 11 more breach reports to the list of 36 it originally posted on Feb. 22.
The list now shows 47 healthcare breaches in order by date of occurrence. Because of the way breach reports are added, it's impossible to pinpoint which ones are newly posted. For example, some reports added in recent days date back to incidents in December.
"The OCR organizes breaches based on the date of the breach, as opposed to date of discovery or date of report, so the most recent breaches will always appear at the top of the list," the office said. New breaches are added to the site once they are verified by OCR regional offices.
The office said it has no plans to issue alerts or press releases regarding updates to the breach list.
The most recent incident posted occurred Feb. 15. So far, four breaches have been posted for February and five for January. The list includes 12 December incidents, seven in November, 11 in October and eight in September.
Under the HITECH Act's breach notification rule, breaches affecting more than 500 individuals must be reported to HHS and the media within 60 days. Smaller breaches must be reported to HHS annually.
Although the rule went into effect last September, HITECH called for a grace period with no penalties until Feb. 22. The Office for Civil Rights enforces the breach notification rule.
The OCR will report to Congress annually the number and nature of breaches reported and actions taken in response to those breaches. That annual report, which will be posted on the OCR web site, will include breaches of all sizes, officials said.
The deadline for healthcare organizations to provide an annual summary of breaches of all sizes to HHS was March 2.