The Security Scrutinizer with Howard Anderson

Federal Breach List Gets a Facelift

Federal Breach List Gets a Facelift

The Department of Health and Human Service's list of breaches affecting more than 500 individuals, launched back in February, now is displayed in an easier-to-use spreadsheet format. The new format enables viewers to sort reported incidents by several factors, including date of incident, name of organization, number of individuals affected and type of breach.

But alas, there's no easy way to view breaches by the date they were posted, so it's tough to find the newest items. That's because OCR adds incidents as details are confirmed. To find the posting date requires clicking on an individual item or downloading a separate spreadsheet.

In another major improvement, for the first time, the list displays solo practitioners by name, rather than identifying them only as 'private practices.' 

As of July 14, the list, which was mandated by the HITECH Act, included 113 incidents. Under the HITECH breach notification rule, healthcare organizations must report breaches affecting more than 500 individuals to OCR, the media and the individuals affected within 60 days.

In an earlier blog, we lamented that it took five clicks to find the breach list, whether starting at the HHS site or the OCR site. Now, it can be found with just two clicks. And that's a big improvement that will prove especially helpful to consumers who want to know if their local hospital or clinic is on the list.

In another major improvement, for the first time, the list displays solo practitioners by name, rather than identifying them only as "private practices."

Back in April, OCR announced plans to add the names of solo practitioners to the site, with a target date of sometime after May 23.

When we originally asked why these practices weren't named on the list, OCR officials said "Under current Privacy Act of 1974 provisions, the Office for Civil Rights may not disclose the names or other identifying information about private practitioners without their written consent."

Well, OCR took a closer look, and it determined that by expanding the definition of "routine use" of information that it gathers with its "system of records," it could justify naming names.

And that's only fair because all other organizations of all sizes are named on the list.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.