GAO: HHS Needs Breach Reporting Feedback MechanismReport Calls for New HHS Communication Method for Breached Entities
The U.S. government talks but doesn't listen when it comes to the process healthcare companies undergo to disclose data breaches, says a federal watchdog.
A key recommendation from the Government Accountability Office in a Monday report is for the Department of Health and Human Services to implement a formal mechanism for HIPAA-covered entities and business associates to give and receive feedback about that process.
Respondents to a GAO survey of the healthcare industry were solidly unenthusiastic about the prospects for communication with the government at the moment of reporting a breach to the department's Office of Civil Rights. Seventy out of 88 voluntary respondents to the nonscientific survey indicated communication-related challenges associated with breach reporting, while only four did not.
Any healthcare industry entity at a loss about how to comply with its obligations of reporting a data breach currently has recourse to three steps, the GAO says: Schedule a meeting, contact OCR via a publicly available email address, or mail a physical letter.
Putting in place a dedicated feedback mechanism could help OCR improve or simplify aspects of the breach reporting process and may decrease long lapses in communication during ongoing breach reporting investigations, the GAO says. HHS OCR is the agency responsible for implementing and enforcing the HIPAA Privacy, Security and Breach Notification Rules.
Room for Improvement
Industry experts were quick to find areas of the data breach process they'd be willing to offer feedback on.
Privacy attorney Adam Greene of Davis Wright Tremaine says the agency's website breach reporting form is very structured and only accepts certain types of data in certain fields.
"This is helpful for OCR's data collection efforts to ensure consistent data, but every once in a while a breach may represent a square peg that does not fit into the form's round hole," he says. At a minimum, he adds, it would be helpful to have a field at the end of the reporting process to identify whether there were any issues during reporting. "The ideal would be a dedicated resource listed on each breach page to call with any questions, but OCR likely does not have the staffing to best support such a feature."
Covered entities and business associates face other challenges as well in breach reporting to HHS OCR.
For example, there has long been confusion on what breach category - hacking or unauthorized access/disclosure - a ransomware attack belongs in on HHS OCR's reporting site, says Susan Lucci, senior privacy and security consultant at consultancy tw-Security.
Another area of confusion is whether a business associate should be reporting breaches. Without a definitive answer, the industry has at times double-reported an incident, Lucci says. "Sometimes when a covered entity is also a business associate to another covered entity, this is when who should report gets confusing."
The GAO report says that from 2015 to 2021, OCR has seen a steady increase in the number of major breaches reported annually. The number of individuals affected each year ranged from 5 million to 113 million.
The largest number of affected individuals in a single year - 113 million - was in 2015, in large part when cyberattacks on health plans Anthem Inc. and Premera Blue Cross resulted in those companies respectively reporting breaches affecting nearly 79 million and 11 million individuals, respectively.
Overall, GAO says, HHS' data indicates that approximately 270 million individuals have been affected by about 3,200 major breaches reported since 2015. Those major breaches involving incidents affecting 500 or more individuals.
GAO cites a surge in hacking incidents, as well as a rise in the number of business associates that hold the PHI for many covered entities becoming targets of attacks as reasons for why the total number of individuals affected by health data breaches continues to climb.