The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) revised its HIPAA Breach Reporting Tool to improve ease of use and navigation July 25.
The most significant change made to the webpage, which is sometimes referred to as the “Wall of Shame” by critics, is that all breaches reported within the last 24 months still being investigated are listed in their own tab for quick reference.
A separate tab labeled ‘Archive’ lists all breach reports that have been resolved or are older than 24 months. Those reports also now include information on how breaches were resolved.
Previously, all breaches reported since 2009 were listed on the same webpage, making it difficult to differentiate between facilities that have taken steps to mitigate breaches and those that are still under investigation.
A new third tab labeled ‘Help for Consumers’ allows people who think they’ve been the victim of identity theft to verify information on their medical records and also offers resources for people to protect themselves following a breach.
A screenshot of the new webpage is included below.
The changes are seen as a response to user complaints about the tool’s ease of use and criticism from Rep. Michael Burgess, M.D. (R-Texas), who argued the webpage is overly punitive, especially for hospitals that have been the victim of ransomware attacks, reports fiercehealthcare.com.
“HHS heard from the public that we needed to focus more on the most recent breaches and clarify when entities have taken action to resolve the issues that might have led to their breaches,” HHS Secretary Tom Price, M.D., said in a statement announcing the changes. “To that end, we have taken steps to make this website, which features only larger breaches, a more positive, relevant source of information for concerned consumers.”
The statement also read “HHS plans on expanding and improving the site over time to add functionality and features based on feedback. “
HHS would need Congressional approval to make extensive changes to the Breach Reporting Tool, which is outlined in the Health Information Technology for Economic and Clinical Health (HITECH) Act. HITECH mandates that the OCR audit healthcare entities to ensure compliance with HIPAA’s privacy rule.
For instance, all breach reports since 2009 are still listed on the website. These reports are required to be published if they affect more than 500 patient records. Healthcare entities must report such breaches to HHS within 60 days of their discovery.
OCR Director Roger Severino also defended the Breach Reporting Tool in the announcement of the changes.
“The HBRT provides health care organizations and consumers with the ability to more easily review breaches reported to OCR,” said Roger Severino, Director of OCR. “Furthermore, greater access to timely information strengthens consumer trust and transparency – qualities central to the Administration’s focus on a more innovative and effective government.”
Read HHS’ full statement here and visit the new webpage here.