Healthcare Breach Reporting

In a recent post, I was wondering about why there have yet to be any healthcare data breaches posted on the Health and Human Services(HHS) Office of Civil Rights (OCR) website. Because there have been a number of substantial incidents reported in the press since the notification requirement under the HITECH Act went into effect, it was unclear as to whether the covered entities were remiss in reporting or whether the hold up was at OCR.

Based on some encouragement, I was given the name of the responsible person at OCR and emailed to ask about this seeming discrepancy. She was nice enough to provide the following reply from Hannah Stahle, JD, Health Information Privacy Specialist:

“In response to your question regarding the posting of breaches on the OCR website, we have been receiving reports from covered entities of breaches affecting 500 or more individuals since the effective date of the regulation. We are now in the process of working to establish our web page for posting information regarding such breaches. Because the breach notification regulation imposed a new reporting requirement on covered entities, which has been in effect for less than three months, we are taking extra care to ensure that all breach notifications we receive are accurate before we post any information on our website.”

It is wonderful to know that covered entities are in fact reporting breach incidents as required, and that HHS is working to ensure that their reporting site is accurate given the sensitive nature of the incidents being reported.

I had also asked about whether there were likely to be changes to the “harm threshold” guidance between now and the issuance of the Final Rule. She again commented that:

“With respect to your question concerning the harm threshold, we are in the process of analyzing the comments we received in response to the interim final regulation and will be developing a final breach regulation in the near future. The harm threshold generated many comments on both sides of the issue, and we will consider all comments as we begin to develop the policy for the final rule.”

I do believe that there are two issues at play here. One, that it is difficult to expect that a covered entity can make a completely impartial determination as to the level of harm that is represented by a data breach incident, if in fact they have a lot to lose by acknowledging that such an incident did in fact create a threat of harm to those affected individuals. The second, though, is that it would be desirable for the Rules to be as unambiguous as possible, so that oragnizations do not need to be involved in making “judgment calls” on level of harm caused by incidents.

ID Experts, the leading provider of identity theft protection and recovery services, covering over 3 million satisfied individuals and families. Visit http://blog.idexpertscorp.com to read more posts. Follow ID Experts on Twitter @idexperts.