Secretary Tom Price of the U.S. Department of Health and Human Services (HHS) announced his agency needs “to focus more on the most recent breaches and clarify when entities have taken action to resolve the issues that might have led to their breaches.” Accordingly, HHS’ Office of Civil Rights has launched a revised web tool providing information about HIPAA breaches. The tool, the HIPAA Breach Reporting Tool (HBRT), features improved navigation helping those looking for information on breaches and ease-of-use for organizations reporting incidents. It also gives health care providers, health plans and business associates easy access to a database from which they can gain a better sense of the common types of breaches and the steps HHS is calling for in order to resolve HIPAA breach cases.
The HBRT was originally launched in 2009, as required by the HITECH Act, providing information regarding HIPAA breaches involving 500 or more individuals. HHS announced that the HBRT’s new features include:
Enhanced functionality and search capabilities allowing users to learn more about breaches currently under investigation and reported within the last 24 months;
New archive that includes all older breaches and information about how breaches were resolved;
Improved navigation to additional breach information; and
Tips for consumers.
The HBRT provides information such as: the name of the entity; state where the entity is located; number of individuals affected by the breach; the date of the breach; type of breach (e.g., hacking/IT incident, theft, loss, unauthorized access/disclosure); and location of the breached information (e.g., laptop, paper records, desktop computer). Additional enhancements are expected in the future.
HIPAA covered entities and business associates may find the HBRT helpful for identifying areas in which to focus their information security efforts. In recent months, there have been several high profile data breaches involving the unauthorized disclosure of the protected health information of several hundred thousand individuals. In this environment of increasing security threats and regulator scrutiny, it would be prudent for entities in possession of individually identifiable health information of patients to take active steps to review and, where appropriate, enhance their security measures. The HBRT could be a helpful tool for assisting in those efforts.