GAO Calls for HHS HIPAA Breach Reporting Feedback Mechanism

The Government Accountability Office (GAO) has issued a report suggesting that the Department of Health and Human Services (HHS) introduces a mechanism for feedback to improve its breach reporting procedure.

The GAO found in its report that between 2015 to 2021, approximately 5 million to 113 million individuals annually are affected by healthcare data breaches. Since the allocation of the HHS’ Office for Civil Rights (OCR) as the primary enforcer of HIPAA law, HIPAA-covered entities have received a total of 110 penalties as a result of HIPAA law violations. In January 2021, changes were made to the HITECH Act, a component of HIPAA law, to require the OCR to consider whether security practices were in place for the 12 months previous when choosing sanctions for covered entities who are subject to breaches of PHI. Since January, the OCR has requested feedback before finalizing the update to the Act. 

According to the GAO, the office was requested to examine the breach reporting procedure, to determine the degree to which the HHS had established a review procedure to evaluate whether covered entities had implemented appropriate security practices, and to determine the scope to which improvements can be made in relation to the requirements of the breach reporting procedure. To achieve this, the GAO examined privacy and security laws, reviewed the HHS’ documentation, interviewed the relevant OCR officials, and assessed covered entities. 

In the GAO’s report, it was found that while the OCR has the responsibility to develop and manage the breach reporting procedure, it has not provided covered entities the ability to issue feedback on the breach reporting procedure. Without the ability to provide feedback, covered entities cannot report issues they may encounter when reporting a breach. The OCR has agreed to incorporate contact information into confirmation emails which are sent to entities who report breaches of PHI and will instruct personnel to regularly review emails concerning issues about the breach reporting procedure.