I received a phone call from OCR this morning to discuss my FOI request for the breach reports HHS is receiving under HITECH regulations. I had requested electronic copies of the reporting forms breached entities submitted via HHS’s web site. The conversation was a bit of an eye-opener for me.
First, it turns out that they cannot give me many of the reports just yet, because under their policies, they treat each and every report as a self-reported complaint that requires an investigation for compliance with HIPAA’s privacy rule. Because investigations are not public while they are ongoing, anything the breached entity submitted would be exempt from production under FOI. Once the investigations are closed, however, then they can provide the records.
Slightly over one dozen cases reported since the new reporting went into effect in September 2009 have now been closed, and I will be sent those records very soon. It took a while to figure out whether I really wanted the full investigation records or just some summary documents. I decided that for now, getting the breach report and the closure letter would, in combination with the HHS/OCR web site entries, probably give me enough information to determine if particular breaches involved SSN or financial information, and what happened (how the breach occurred).
So stay tuned, and great thanks to OCR for their call and helpfulness. I will probably have to file a new FOI request each month for the rest of my life, but hey, at least now I understand the process and we will be getting more data.