Several weeks ago, I initiated an inquiry about the breach reports that I expected to see on HHS’s web site. Under the new HITECH Act provisions, covered entities experiencing breaches involving the unsecured PHI of 500 or more patients are required to report the incident to HHS – if the incident meets the “harm threshold” that HHS added to the regulations despite the language of the statute and Congress’s clear intentions. Did the harm threshold give everyone a “pass” on reporting incidents to HHS, or is HHS just behind in getting the reports up on their web site? Inquiring minds wanted to know.
As it turns out, HHS has received breach reports under the new law, but is first working out a number of issues before reports will be uploaded to their site. According to a senior health information privacy specialist with whom I spoke yesterday, HHS has not yet determined whether the reports submitted to it in various formats should be uploaded as is or whether some “user-friendly” report should be provided by HHS for the incident. HHS is also reportedly concerned about going through documentation carefully to ensure that they do not accidentally publicly reveal any personal information that might be contained in any reports. According to the specialist, HHS has not created or disseminated any template for covered entities to use in reporting incidents [see Sam’s comment and my comment below for a clarification on this].
Predictably, I tried to encourage HHS to just upload what they get — just as a number of states do. While HHS is uploading what they already have, they can develop a template that includes the kind of details those of us who track and analyze breaches will find helpful. Somehow I doubt they’ll take my well-meant advice, however.
So when will we actually see the first reports showing up on HHS’s web site? The specialist could not say, but I hope the fact that HHS knows that people are waiting and inquiring will encourage them to get the information out to the public sooner rather than later. Nor did the specialist know how many reports HHS has already received, but he did say that they were receiving reports from all over.
In the meantime, I’ll just sit over here and wonder about what we’ll learn when reports are finally available for public inspection.
As a vendor who is formulating our breach reporting and process policy the questions raised in this post are very interesting. How are we to report breaches, and are we to expect that what we report is public information, or the property of the government & those who’s privacy has been compromised? I had thought that our policy must inform those who were compromised and the government. I had assumed that a breach had occurred out of our shop would, as an agragate be available to the public, but not the details of our disclosures.
Of course in the best of worlds we will never have to report a breach, and we are working hard to ensure that this breaches do not occer.
Hi Skip,
First: if you send a breach disclosure notice to an individual, it becomes their property and they are free to do with it what they want — including sending it to this site or databreaches.net or any other site, who can then publish it as newsworthy and a matter of public interest.
Second: some entities have tried to have their breach reports shielded from public disclosure by state agencies by claiming “trade secrets.” That argument usually fails unless there are really details in the disclosure that might compromise the security of the entity’s system should it be disclosed. Just claiming that your reputation will be harmed by public disclosure is not sufficient justification to overcome the argument of public interest. My assumption and experience as a citizen journalist/blogger is that breach reports are public records and are generally subject to freedom of information requests.
In other words, assume that whatever you send may get into the media eventually.
I may just be misunderstanding the issue; apologies if so. Your post states: “According to the specialist, HHS has not created or disseminated any template for covered entities to use in reporting incidents.” However, isn’t the HHS electronic report form (http://transparency.cit.nih.gov/breach/index.cfm) what covered entities are supposed to submit to the Secretary upon a data breach? Or are you referring to some additional notice that is required?
I’m glad you posted that link, Sam. I reported what I was told, but it’s possible that the spokesperson was confused about the template and that the template is for HHS to take the info submitted on the form you link to and convert it into some other briefer, “user-friendly” format. Personally, I’d prefer to see all of the data submitted by an entity instead of having it summarized or altered in any way by HHS.