Compliance Management, Governance, Risk and Compliance

HHS lacks effective communication for HIPAA breach reporting feedback

The  U.S. Department of Health and Human Services building is shown Aug. 16, 2006, in Washington. (Photo by Mark Wilson/Getty Images)

The Office for Civil Rights lacks a communication channel for covered entities to provide the regulator with feedback on the Health Insurance Portability and Accountability Act’s breach reporting process, according to a new Government Accountability report.

Without effective communication, provider organizations, business associates, and other covered entities are facing challenges with the overall process for reporting breaches to the Department of Health and Human Services, the report shows.

Soliciting feedback from impacted entities could effectively help OCR improve the reporting process and decrease long lapses of communication during ongoing breach reporting investigations.

As it stands, the current method for providers to receive feedback is through a breach investigation.

“There is no formal process or platform for a covered entity or business associate to provide feedback,” according to the process. “If a covered entity or business associate experienced issues during the breach reporting process, it could … schedule a meeting, email OCR at its publicly-available email address, or write a letter to OCR.”

The report shows the primary concern is that the national cybersecurity plan for critical infrastructure is centered around the collaboration of industry leaders to “understand challenges and solutions related to critical infrastructure security and resilience.”

GAO attempted to survey healthcare leaders, but the survey had a low response rate. Those who did respond agreed the OCR’s reporting process was efficient.

The real challenge for the vast majority of reporting providers was directly tied to communication challenges with the breach reporting process. Respondents suggested a number of ways OCR could improve those processes, including a platform for submitting anonymous questions and a method for directly soliciting feedback from sector members.

If OCR addressed the communication “shortcoming” it could be “an important step toward improving or simplifying aspects of the breach and investigations process.”

GAO urged HHS to ensure OCR establish this mechanism to improve the breach reporting process, for which “HHS generally concurred.” Agency officials said they would take steps to implement the function, by first soliciting feedback tied to the breach reporting process whenever a breach notification is submitted.

OCR also intends to set up a mechanism for providing feedback on breach reporting and investigative processes, including the addition of language and contact information to confirmation emails sent to entities that file reports through the breach reporting tool and implementing procedures for regional offices to review feedback.

Safe Harbor law prompts need for clear OCR communication

The report is notable given the enactment of the HIPAA Safe Harbor bill in January 2021, which amended the HITECH Act to require HHS to consider the security practices of entities impacted by a data breach when making determinations on potential civil monetary penalties or other enforcement discretions.

“It states that when HHS is making determinations related to fines, audits, or remedies to resolve potential violations of the Security Rule, [it] shall consider whether the covered entity or business associate has adequately demonstrated that it had implemented recognized security practices for the previous twelve months,” according to the GAO report.

The law effectively incentivizes providers for implementing best practice cybersecurity.

OCR is tasked with investigating all reported healthcare data breaches, which is verified by the regional office within 10 business days before an investigation into the root cause. If the agency finds the entity did not adequately secure protected health information, OCR can provide technical assistance, issue a resolution agreement, or impose a civil monetary penalty.

Since the enactment of the Safe Harbor bill, the report shows OCR is making progress on the development of a process to effectively evaluate the security processes of covered entities and business associates.

OCR plans to finalize the review process for determining whether covered entities and business associates have implemented recognized security practices no later than the summer of 2022. GAO notes that if OCR meets its time frame, reporting entities could be better informed about the process — and may be more equipped to prepare for an OCR audit.

The agency has already set up standard operating procedures for its investigators and sought public comment on effective security implementations. The stakeholder feedback will be used to “develop future guidance to assist regulated entities in improving the cybersecurity and safeguarding of the electronic PHI they hold.”

The final stage is health sector outreach “to officially communicate to the healthcare sector and raise awareness regarding the process to consider recognized security practices at the conclusion of an investigation, including those involving a breach.” OCR has also added to its  recognized security practices and is scheduling public webinars.

GAO contends that while OCR has taken steps to enact an evaluation process to assess whether entities leveraged recognized security practices ahead of a reported incident, there is still room for improvement.

Breach trends

The GAO report also details notable findings from OCR’s deputy director for health information privacy on reported healthcare data breaches. Specifically, the rise in reported incidents may correlate with the overall increase in global IT crimes. In total, hacking and IT incidents caused 55% of the 3,200 breaches reported to HHS between 2015 and 2021.

Overall, there’s been a whopping 843% rise in reported hacking and IT incidents since 2015. For comparison, unauthorized access and disclosure has only increased by 43% during the same timeframe.

Further, providers may have the most reported breaches than business associates and other vendors, but that’s likely due to there being “significantly more health care providers compared to other types of covered entities.”

The report shows that many HIPAA failures are caused by covered entities failing to conduct accurate and thorough risk analyses, which could have contributed to the increase in the number of breaches during the assessed time period. What’s more, a common factor by those reporting breaches to OCR is a lack of multi-factor authentication.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.