Breach List: Too Many Clicks
While the U.S. Department of Health and Human Services is living up to the letter of the law in posting the list deep within its Office for Civil Rights' Web site, it's sure making it difficult to reach the list.
Finding the list requires five steps, whether you start by entering the Office for Civil Rights' site or the HHS site. But you have to know what clicks to make. And that's far from obvious.
That web page is so buried that even people who knew it was there have had trouble finding it.
To simplify things for you, here's the direct link.
Security consultant Kate Borten contends the approach OCR is taking does not live up to the Congressional intent in passing the HITECH Act. Congress intended for there to be an easily accessible "wall of shame" that consumers can use to identify organizations that have had breaches affecting more than 500 individuals, says Borten, president of The Marblehead Group, a security consulting firm based in Marblehead, Mass.
"That web page is so buried that even people who knew it was there have had trouble finding it," Borten adds.
Asked why the breach list is so deep within the OCR site, the office replied in an e-mail, "The OCR HIPAA privacy web site is one of the most visited web sites in the department, and the link to the new breach web site is prominently available from the home page."
The HHS home page has a "Health Information Privacy (HIPAA)" link in the lower right margin. Visitors who click on that are linked to the OCR's "Health Information Privacy" page, which is three clicks away from the breach list.
The HITECH Act, simply states that HHS must post on its Web site a list of the major breaches. It does not specify precisely how or where the information must be posted. So HHS is living up to the letter of the law.
OCR also points out that those most interested in finding out about major breaches, the individuals who may be directly affected, receive notices in the mail from their local hospital, clinic or other covered entity. Plus, the organization reporting the breach must notify the local media as well.
"Therefore, prior to our posting of the reported breaches on the web site, the public most affected by these events have received notice," OCR said in an e-mail to HealthcareInfoSecurity.com.
That's all true. But shouldn't someone shopping for a doctor or a hospital be able to easily find out if that organization has a history of security problems? For now, it don't come easy.
And the list itself has some problems.
For seven of the breaches posted on the list so far, the site of the breach is only identified as "private practice" rather than the specific name of the organization.
When asked about this the, OCR replied, "Under current Privacy Act provisions, the Office of Civil Rights may not disclose the names or other identifying information about private practitioners without their written consent."
Perhaps it's time for some attorneys to sort through the issues involved so solo practitioners, as well as larger clinics, can be identified in the list. Fair is fair.
Plus, it's impossible to tell what breaches have been added to the site from week to week. That's because they're listed in order based on the date of the incident. In recent days, items dating back to December have been added. So it's tough to figure out which reports are new.
OCR could take a simple step, like adding the date when each breach was posted on the site, to make it easier for folks to identify new cases using the scorecard.
OCR also could provide a state-by-state guide, with an alphabetical list of organizations that have reported breaches. That way, if you moved to another state, you could easily find the list of local organizations with breaches reported.