The following is cross-posted from PHIprivacy.net:
Under the provisions of the HITECH Act that went into effect several months ago, covered entities are required to report breaches involving the unsecured protected health information of 500 or more individuals to the Secretary of the U.S. Department of Health & Human Services. Unfortunately, HHS watered down the law in formulating the regulations to introduce a “harm” threshold, where the risk of harm is determined by the entity who was breached. Talk about letting the fox guard the hen house. If the entity doesn’t believe that the breach poses a significant risk of financial, reputational, or other harm to the individual, then they do not need to notify the individual and they do not need to notify HHS.
I do not know if any of my readers have been checking HHS’s web site to see what entities have been reporting breaches, but I’ve been checking it, as I was delighted that they got the web site ready and available.
To date, however, there are no breaches reported on HHS’s web site.
Curious as to whether this means that there have been no breaches reported under the new disclosure requirements or whether HHS is just behind in updating its site, I called HHS on Wednesday morning. The switchboard transferred me over to my state HHS office, despite my protests that this was federal, not state. My state tried to connect me to another number, which was a non-working number. I called Washington again, this time trying the press office and telling them that this was a media inquiry. Somehow, I wound up speaking to the NHIT Coordinator’s Office, who informed me that they couldn’t answer my question and that I should call OCR, although they couldn’t tell me who or which office at OCR to call. So I called OCR’s main number, and not surprisingly, the switchboard had no idea who to transfer me to but promised to have someone call me back.
Forty-eight hours later, I had still received no callback, so I started calling again. This time, I called the press office first and told them that I was media, was tired of being bounced around and not getting a call back, and repeated my inquiry. The person I spoke to gave me the name and number of a supervisor, and lo and behold, 30 minutes later, I found myself on a speakerphone call with the supervisor and an employee who assured me that he was the right person to speak to and that he would get back to me by phone or email.
I told him he’s my new best friend. It’s now about four hours later, and I haven’t heard back from my new best friend, but I hope I’ll hear something on Monday.
Is it possible that because of the new harm threshold, there have been no reports? Or do you suspect that HHS just hasn’t updated their site? Place your bets now.