Privacy, Compliance Management, Vulnerability Management

HHS agrees to improve feedback process for healthcare data breach reporting

The  U.S. Department of Health and Human Services building is shown Aug. 16, 2006, in Washington. (Photo by Mark Wilson/Getty Images)
The U.S. Department of Health and Human Services building is shown Aug. 16, 2006, in Washington. (Photo by Mark Wilson/Getty Images)

The Department of Health and Human Services' Office of Civil Rights (OCR) has agreed to implement a feedback mechanism by adding language and contact information to the confirmation email that healthcare entities receive.

OCR also plans to ask its regional offices to routinely review and respond to emails received in terms of the breach reporting process. 

The move comes after the Government Accountability Office (GAO) recommended that HHS set up a feedback mechanism to enhance the effectiveness of its healthcare data breach reporting process, according to GAO's latest report

The report looked at the number of breaches and affected individuals reported to HHS since 2015, examined HHS’ review process to assess covered entities’ security measures, and provided recommendations to help HHS improve communications for breach reporting. 

OCR is responsible for enforcing the Health Insurance Portability and Accountability Act's privacy, security and breach notification rules, which establishes national standards for safeguarding protected health information (PHI) and requires covered entities and their business associates to inform HHS of breaches of unsecured PHI. 

While OCR developed a breach notification process, it does not offer a way for covered entities to provide feedback on the breach reporting process

“The Deputy Director for Health Information Privacy stated that the primary method for the office to receive information is through a breach investigation and that there is no formal process or platform for a covered entity or business associate to provide feedback,” the report stated. 

“He noted that if a covered entity or business associate experienced issues during the breach reporting process, it could take one of three steps — schedule a meeting, email OCR at its publicly-available email address, or write a letter to OCR.”

According to a survey conducted by GAO among covered entities and business associates, 80% respondents stated that they have experienced communication-related challenges during the breach reporting process. Some respondents suggested that OCR can provide “a platform to submit anonymous questions," or set up a mechanism to “directly solicit feedback from the health care sector members.”

"Addressing this shortcoming will be an important step toward improving or simplifying aspects of the breach and investigations process and preventing long lapses of communication during ongoing breach reporting investigations," GAO noted in the report. 

Steady increase in PHI breaches since 2015

In addition to recommending a feedback mechanism, GAO's report also identified a steady increase in the number of breaches involving unsecured PHI since 2015. There are 714 reported breaches of health information in 2021, almost three times higher than the reported breaches in 2015. 

An increasing IT-related crime, such as ransomware attacks and business email compromises,  may explain the rise in reported breaches, according to OCR's deputy director for health information and privacy. 

The deputy also noted that the lack of compliance with security rule requirements among covered entities and business associates can be another factor that led to the increase in the number of breaches. 

Menghan Xiao

Menghan Xiao is a cybersecurity reporter at SC Media, covering software supply chain security, workforce/business, and threat intelligence. Before SC Media, Xiao studied journalism at Northwestern University, where she received a merit-based scholarship from Medill and Jack Modzelewski Scholarship Fund.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.