GAO: HHS Must Create System for Getting Comments on HIPAA Data Breach Reporting Process

The Government Accountability Office (GAO) has advised the Department of Health and Human Services (HHS) to create a feedback system to enhance the efficiency of its data breach reporting procedure.

The Health Information Technology for Economic and Clinical Health (HITECH) Act, section of the American Recovery and Reinvestment Act of 2009, required the Secretary of the HHS to make and keep a listing of data breaches of unsecured protected health information (PHI) involving 500 and up persons on its website.

The HHS’ Office for Civil Rights (OCR) Breach Website lists breaches affecting the personally identifiable protected health information (PHI), for example, unauthorized PHI access and disclosures, compromise, loss and/or theft. There has been an increasing number of reported data breaches every year. 2021 had 714 data breach reports involving 500 and up records submitted to OCR.

GAO mentioned in its report that from 2015 to 2021, the number of people impacted by healthcare data breaches that occurred at healthcare companies, healthcare clearinghouses, health plans, and business associates is about 5 million to 113 million annually.

OCR is the primary agency enforcing Health Insurance Portability and Accountability Act (HIPAA) compliance. OCR investigates data breaches and complaints to confirm whether there are HIPAA violations. Thus far, OCR has penalized 110 HIPAA-regulated entities that were found to have committed HIPAA Rules. violations.

In January 2021, the HITECH Act was revised requiring OCR to take into account the ‘recognized security practices’ that are set up for the 12 consecutive months prior to making decisions about enforcement actions against HIPAA-regulated entities with breaches of PHI incidents. OCR requested reactions from the public about the conduct of recognized security practices and will be finalized this summer.

GAO stated it was asked to do an evaluation on the breach reporting procedure, figure out the degree to which the HHS had set up a review procedure to evaluate whether covered entities had put in place recognized security practices, and find out the degree to which enhancements can be made associated with the HHS breach reporting specifications.

With that process, GAO examined privacy and information security rules; looked at HHS records, policies, and operations; questioned cognizant OCR officers; and conducted a survey of HIPAA-regulated entities.

GAO stated in its report that OCR was asked to develop and manage the breach reporting process yet did not set up a process allowing HIPAA-regulated entities to give responses on the breach reporting procedure. With no such system, HIPAA-regulated entities may encounter difficulties with the breach reporting process and do not have a clear method of reporting those problems to OCR. GAO has advised the creation of such a process, as this could help OCR to enhance facets of the breach reporting procedure.

The HHS agreed with the GAO advice and mentioned that OCR will create a system for regulated entities to give feedback on the process of breach reporting and investigation. This could be accomplished by including language and contact details in the confirmation email messages that HIPAA-regulated entities get when they submit data breach reports via the HHS Breach Website. The HHS stated it will additionally issue processes to OCR’s regional offices that necessitate them to routinely check and address emails acquired concerning the breach reporting process.

About Christine Garcia 1304 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at