GAO Calls on HHS to Improve Healthcare Data Breach Reporting Process

In a new report, GAO suggested that HHS improve its healthcare data breach reporting process to allow entities to provide feedback on it.

In its latest report, the US Government Accountability Office (GAO) called on HHS to improve the healthcare data breach reporting process. Specifically, GAO urged HHS to create a mechanism for entities to provide feedback on the breach reporting process.

GAO studied the number of breaches reported to HHS since 2015, analyzed the extent to which HHS established a review process to assess a covered entity’s security practices, and assessed improvement opportunities relating to breach reporting requirements.  

The HHS Office for Civil Rights (OCR) is in charge of enforcing and implementing the HIPAA Security Rule, the HIPAA Privacy Rule, and the HIPAA Breach Notification Rule, along with the development and management of the breach reporting process. On its data breach portal, OCR lists all healthcare data breaches impacting more than 500 individuals.

The reported breaches have been increasing rapidly over the past few years. In 2015, GAO’s analysis showed, there were 270 healthcare data breaches impacting more than 500 people each. In 2021, covered entities and their business associates reported a total of 714 breaches impacting more than 500 people.

“OCR’s Deputy Director for Health Information Privacy stated that the number of reported breaches may be correlated with increasing IT-related crimes. According to the Federal Bureau of Investigation, some of the most common IT-related crimes, among others, have included ransomware attacks and business email compromises,” the report stated.

“In addition, the Deputy Director said that health care providers may have reported the highest number of breaches because there are significantly more health care providers compared to other types of covered entities."

But as breaches increase and more entities find themselves reporting them to HHS, there is still no tool for providing meaningful feedback on the breach reporting process to HHS.

“Without a clear mechanism to provide feedback to OCR, covered entities and business associates may face challenges during the breach reporting process. Further, soliciting feedback on the breach reporting process could help OCR improve or simplify aspects of the process and may decrease long lapses of communication during ongoing breach reporting investigations,” the GAO report continued.

As exemplified in the report, reporting an incident to OCR’s breach portal is just the first step in the breach reporting process. Once OCR is notified, an OCR regional office must verify the breach within 10 business days.

Next, the regional office initiates an investigation into the root cause of the breach and confirms that the impacted entity has notified affected individuals.

The process of closing the investigation can vary depending on the results. OCR either concludes that the entity took adequate steps to safeguard PHI and takes no further action, or it determines that the entity did not secure PHI as required by HIPAA. If the latter occurs, OCR may impose a civil monetary penalty, help the entity correct deficiencies, or establish a corrective action plan.

Throughout this process, there is no formal way to provide feedback, GAO noted. If it experienced challenges during the process, an entity's options scheduling a meeting, writing a letter to OCR, or emailing OCR’s publicly available email address. 

HHS concurred with GAO’s recommendations and said it would begin soliciting feedback related to the breach reporting process.

“Specifically, OCR plans to add language and contact information to the confirmation email that regulated entities receive when they submit breach reports through the HHS Breach Portal to invite feedback and questions about the breach reporting process,” GAO stated.

“The agency also plans to implement procedures for OCR’s regional offices to regularly review and address emails received about the breach reporting process through their respective mailboxes. We will continue to follow-up with HHS to validate its implementation of this recommendation.”

In addition to analyzing the breach reporting feedback process, GAO’s report also analyzed OCR’s methods of assessing whether covered entities had implemented recognized security practices, as required by the HIPAA Safe Harbor bill, a January 2021 amendment to HITECH.

To advance these efforts, in March 2022, OCR finalized standard operating procedures for investigators to use when assessing these security practices. Additionally, OCR issued a request for information to seek input on the contents of the recognized security practices in early April. OCR received feedback from a variety of industry groups and later announced that it would produce a video presentation on HITECH recognized security practices.

“OCR plans to finalize the review process for considering whether covered entities and business associates have implemented recognized security practices no later than the summer of 2022,” the report explained.

“If the office can complete the associated tasks in the expected timeframe, covered entities and business associates would have more information available on the process and in turn may be better equipped to prepare for OCR’s breach investigations.”

Next Steps

Dig Deeper on HIPAA compliance and regulation