Wall of Shame of OCR Under Evaluation by HHS

Ever since 2009, the Division of HHS’ OCR has been issuing outlines of healthcare files’ breaches on its internet site. The data breach list is usually known as ‘Wall of Shame’ of OCR.

The data breach list just provides a short synopsis of data breaches, including the name of the protected unit, the state in which the protected unit is based, protected unit kind, date of notice, kind of breach, place of breach information, whether a BA was implicated and the number of people impacted.

The list contains all reported data breaches, including those which happened because of no mistake of the healthcare business. The list isn’t a proof of HIPAA breaches. Those are decided during OCR inquiries of breaches.

Making short details of the data breaches available to the general public is a ‘needlessly punishing’ action, as per Rep. Michael Burgess (R-Texas), who lately censured OCR regarding its data breach list.

Burgess was updated at a cybersecurity trial last week that Tom Price, HHS secretary is presently reviewing the website and the way the data is shared.

Though the publication of info is reviewed, the publication of breach outlines is a condition of the HITECH Law of 2009. Any conclusion to cease distributing breach synopses on the website would need support from Legislature. Nevertheless, it’s possible for modifications to be made to the way the information is shown and for how much time the info is made available. HITECH Law just needs the info to be circulated. It doesn’t require the duration of time that the protected unit continues on the list.

The purpose of the publication of breach info is to inform the general public of data breaches and to offer specific info on what has happened. In case there was a deadline placed on the duration of time a protected unit continued on the list, it won’t be likely for a member of the general public to decide whether a breach was a single event or one of many suffered by a protected unit.

Roger Severino, OCR Director released a statement verifying the effectiveness of the website stating, “The website offers a vital basis of info to the general public, however, we accept that the format has become outdated and can and must be upgraded,” clarifying “OCR will carry on to evaluate the best alternatives for sharing this info as we satisfy legal requirements, train the regulated community (as well as the public) on programs learned, and underscore actions taken in reaction.”

Burgess said Fierce Healthcare, “I am concerned about following solutions that keep hospital organizations responsible for keeping patient secrecy without vilifying organizations that might fall victim to extensive ransomware attacks, like WannaCry.”

Obviously, in the event of the WannaCry attacks, healthcare companies might not be guiltless. The attacks were only likely as a consequence of the failure to use patches quickly. Nevertheless, in its present form, there won’t be any sign on the website that a protected unit had suffered a ransomware attack because the breach list doesn’t go into that much detail.

Although alternatives are being deliberated, some secrecy supporters claim that the breach portal doesn’t go into nearly sufficient detail and propose even additional info must be uploaded to the site to better update the public on precisely what has happened.